From fc9ae38ecb56b1cfb577fe1855e5adaeece73c06 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Sat, 20 Jul 2024 20:47:56 +0800 Subject: [PATCH 01/35] Disable DDoS protection for Azure China, #2 --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 72b639af87..3e4823e4c0 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1204,7 +1204,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable DDoS Network Protection", "defaultValue": "Yes (recommended)", - "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No'), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled on the connectivity virtual network. Please note that DDoS Network Protection does incur additional costs that need to be considered, for more information: DDoS Network Protection pricing.", "constraints": { "allowedValues": [ From 50de71454f04cb36eba0547dad2e93361e3d27e3 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Sat, 20 Jul 2024 23:06:30 +0800 Subject: [PATCH 02/35] Disable DDoS protection for Azure China, Azure#3 --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 3e4823e4c0..0514fe77ec 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1204,7 +1204,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable DDoS Network Protection", "defaultValue": "Yes (recommended)", - "visible": "[and(not(equals(steps('connectivity').enableHub, 'No'), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled on the connectivity virtual network. Please note that DDoS Network Protection does incur additional costs that need to be considered, for more information: DDoS Network Protection pricing.", "constraints": { "allowedValues": [ From 2d4eada2880590e3f2e886dc41cadaee7fdb4496 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Wed, 24 Jul 2024 14:02:35 +0800 Subject: [PATCH 03/35] Update for private DNS zone policies and assignenmt --- eslzArm/eslzArm.json | 2 +- ...cDINE-PrivateDNSZonesPolicyAssignment.json | 411 +++++++++++ ...loy-Private-DNS-Zones.AzureChinaCloud.json | 697 +++++++++++++++++- 3 files changed, 1092 insertions(+), 18 deletions(-) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 0233736be1..cea89276be 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1578,7 +1578,7 @@ "azPrivateDnsPolicyAssignmentMapping": { "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json", "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/gov/fairfaxDINE-PrivateDNSZonesPolicyAssignment.json", - "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json" + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json" }, "azPrivateDnsPolicyAssignment": "[variables('azPrivateDnsPolicyAssignmentMapping')[environment().resourceManager]]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json new file mode 100644 index 0000000000..4c84dcc5f2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -0,0 +1,411 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "dnsZoneResourceGroupId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the resource group for private DNS, which will construct the full resourceId for the private DNS zones." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Provide the location where the virtual network is created (hub)" + } + } + }, + "variables": { + "azBackupGeoCodes": { + "australiacentral": "acl", + "australiacentral2": "acl2", + "australiaeast": "ae", + "australiasoutheast": "ase", + "brazilsouth": "brs", + "brazilsoutheast": "bse", + "centraluseuap": "ccy", + "canadacentral": "cnc", + "canadaeast": "cne", + "centralus": "cus", + "eastasia": "ea", + "eastus2euap": "ecy", + "eastus": "eus", + "eastus2": "eus2", + "francecentral": "frc", + "francesouth": "frs", + "germanynorth": "gn", + "germanywestcentral": "gwc", + "centralindia": "inc", + "southindia": "ins", + "westindia": "inw", + "italynorth": "itn", + "japaneast": "jpe", + "japanwest": "jpw", + "jioindiacentral": "jic", + "jioindiawest": "jiw", + "koreacentral": "krc", + "koreasouth": "krs", + "northcentralus": "ncus", + "northeurope": "ne", + "norwayeast": "nwe", + "norwaywest": "nww", + "qatarcentral": "qac", + "southafricanorth": "san", + "southafricawest": "saw", + "southcentralus": "scus", + "swedencentral": "sdc", + "swedensouth": "sds", + "southeastasia": "sea", + "switzerlandnorth": "szn", + "switzerlandwest": "szw", + "uaecentral": "uac", + "uaenorth": "uan", + "uksouth": "uks", + "ukwest": "ukw", + "westcentralus": "wcus", + "westeurope": "we", + "westus": "wus", + "westus2": "wus2", + "westus3": "wus3", + "usdodcentral": "udc", + "usdodeast": "ude", + "usgovarizona": "uga", + "usgoviowa": "ugi", + "usgovtexas": "ugt", + "usgovvirginia": "ugv", + "usnateast": "exe", + "usnatwest": "exw", + "usseceast": "rxe", + "ussecwest": "rxw", + "chinanorth": "bjb", + "chinanorth2": "bjb2", + "chinanorth3": "bjb3", + "chinaeast": "sha", + "chinaeast2": "sha2", + "chinaeast3": "sha3", + "germanycentral": "gec", + "germanynortheast": "gne" + }, + "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]", + "policyParameterMapping": { + "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.cn')]", + "azureAutomationWebhookPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.cn')]", + "azureAutomationDSCHybridPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.cn')]", + "azureCosmosSQLPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.cn')]", + "azureCosmosMongoPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.mongo.cosmos.azure.cn')]", + "azureCosmosCassandraPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cassandra.cosmos.azure.cn')]", + "azureCosmosGremlinPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.gremlin.cosmos.azure.cn')]", + "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.cn')]", + "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.cn')]", + "azureDataFactoryPortalPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.adf.azure.cn')]", + // Not supported in Mooncake yet + //"azureDatabricksPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azuredatabricks.net')]", + "azureHDInsightPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurehdinsight.cn')]", + // MigrateNot supported in Mooncake yet + //"azureMigratePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.prod.migration.windowsazure.com')]", + "azureStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", + "azureStorageBlobSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", + "azureStorageQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.chinacloudapi.cn')]", + "azureStorageQueueSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.chinacloudapi.cn')]", + "azureStorageFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.file.core.chinacloudapi.cn')]", + "azureStorageStaticWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.web.core.chinacloudapi.cn')]", + "azureStorageStaticWebSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.web.core.chinacloudapi.cn')]", + "azureStorageDFSPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dfs.core.chinacloudapi.cn')]", + "azureStorageDFSSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dfs.core.chinacloudapi.cn')]", + "azureSynapseSQLPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.azure.cn')]", + "azureSynapseSQLODPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.azure.cn')]", + "azureSynapseDevPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dev.azuresynapse.azure.cn')]", + "azureMonitorPrivateDnsZoneId1": "[concat(variables('baseId'), 'privatelink.monitor.azure.cn')]", + "azureMonitorPrivateDnsZoneId2": "[concat(variables('baseId'), 'privatelink.oms.opinsights.azure.cn')]", + "azureMonitorPrivateDnsZoneId3": "[concat(variables('baseId'), 'privatelink.ods.opinsights.azure.cn')]", + "azureMonitorPrivateDnsZoneId4": "[concat(variables('baseId'), 'privatelink.agentsvc.azure-automation.net')]", // No change for Mooncake + "azureMonitorPrivateDnsZoneId5": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", + "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.cn')]", + "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.batch.chinacloudapi.cn')]", + "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.azure.cn')]", + // Azure Site Recovery is NOT supported in Mooncake yet + //"azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.siterecovery.windowsazure.com')]", + "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.cn')]", + "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.cn')]", + "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.azure.cn')]", + "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), ' privatelink.chinacloudsites.cn')]", + "azureEventGridTopicsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.cn')]", + "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", + "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.cn')]", + "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.cn')]", + "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.cn')]", + "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.chinacloudapi.cn')]", + "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.cn')]", + "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.chinacloudapi.cn')]", + "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.ml.azure.cn')]", + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId" : "[concat(variables('baseId'), 'privatelink.notebooks.chinacloudapi.cn')]", + "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.chinacloudapi.cn')]", + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.azure.cn')]", + //Azure Bot Service is NOT supported in Mooncake yet + //"azureBotServicePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.directline.botframework.com')]", + //Azure Managed Grafana is NOT supported in Mooncake yet + //"azureManagedGrafanaWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.grafana.azure.com')]", + "azureVirtualDesktopHostpoolPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.azure.cn')]", + "azureVirtualDesktopWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink-global.wvd.azure.cn')]", + "azureIotDeviceupdatePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.cn')]", + // Azure Arc is NOT supported in Mooncake yet + //"azureArcGuestconfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.guestconfiguration.azure.com')]", + //"azureArcHybridResourceProviderPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.his.arc.azure.com')]", + //"azureArcKubernetesConfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dp.kubernetesconfiguration.azure.com')]", + // Azure IoT Central is NOT supported in Mooncake yet + //"azureIotCentralPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azureiotcentral.com')]", + "azureStorageTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.chinacloudapi.cn')]", + "azureStorageTableSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.chinacloudapi.cn')]", + "azureSiteRecoveryBackupPrivateDnsZoneID": "[concat(variables('baseId'), replace('privatelink.regionGeoShortCode.backup.windowsazure.cn','regionGeoShortCode',variables('azBackupGeoCodes')[toLower(parameters('location'))]))]", + "azureSiteRecoveryBlobPrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", + "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.chinacloudapi.cn')]" + }, + "policyDefinitions": { + "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]" + }, + "policyAssignmentNames": { + "deployPrivateDnsZones": "Deploy-Private-DNS-Zones", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones" + }, + "nonComplianceMessage": { + "message": "Azure PaaS services {enforcementMode} use private DNS zones.", + "Default": "must", + "DoNotEnforce": "should" + }, + "roleAssignmentNames": { + "deployPrivateDnsZones": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployPrivateDnsZones))]" + }, + "policyRbac": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').deployPrivateDnsZones]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployPrivateDnsZones]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "azureFilePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureFilePrivateDnsZoneId]" + }, + "azureAutomationWebhookPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAutomationWebhookPrivateDnsZoneId]" + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAutomationDSCHybridPrivateDnsZoneId]" + }, + "azureCosmosSQLPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCosmosSQLPrivateDnsZoneId]" + }, + "azureCosmosMongoPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCosmosMongoPrivateDnsZoneId]" + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCosmosCassandraPrivateDnsZoneId]" + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCosmosGremlinPrivateDnsZoneId]" + }, + "azureCosmosTablePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCosmosTablePrivateDnsZoneId]" + }, + "azureDataFactoryPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureDataFactoryPrivateDnsZoneId]" + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureDataFactoryPortalPrivateDnsZoneId]" + }, + "azureHDInsightPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureHDInsightPrivateDnsZoneId]" + }, + + "azureStorageBlobPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageBlobPrivateDnsZoneId]" + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageBlobSecPrivateDnsZoneId]" + }, + "azureStorageQueuePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageQueuePrivateDnsZoneId]" + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageQueueSecPrivateDnsZoneId]" + }, + "azureStorageFilePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageFilePrivateDnsZoneId]" + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageStaticWebPrivateDnsZoneId]" + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageStaticWebSecPrivateDnsZoneId]" + }, + "azureStorageDFSPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageDFSPrivateDnsZoneId]" + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageDFSSecPrivateDnsZoneId]" + }, + "azureSynapseSQLPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureSynapseSQLPrivateDnsZoneId]" + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureSynapseSQLODPrivateDnsZoneId]" + }, + "azureSynapseDevPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureSynapseDevPrivateDnsZoneId]" + }, + "azureMonitorPrivateDnsZoneId1": { + "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId1]" + }, + "azureMonitorPrivateDnsZoneId2": { + "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId2]" + }, + "azureMonitorPrivateDnsZoneId3": { + "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId3]" + }, + "azureMonitorPrivateDnsZoneId4": { + "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId4]" + }, + "azureMonitorPrivateDnsZoneId5": { + "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId5]" + }, + "azureWebPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureWebPrivateDnsZoneId]" + }, + "azureBatchPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureBatchPrivateDnsZoneId]" + }, + "azureAppPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAppPrivateDnsZoneId]" + }, + + "azureIotPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotPrivateDnsZoneId]" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureKeyVaultPrivateDnsZoneId]" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureSignalRPrivateDnsZoneId]" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAppServicesPrivateDnsZoneId]" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventGridTopicsPrivateDnsZoneId]" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureDiskAccessPrivateDnsZoneId]" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCognitiveServicesPrivateDnsZoneId]" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotHubsPrivateDnsZoneId]" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventGridDomainsPrivateDnsZoneId]" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureRedisCachePrivateDnsZoneId]" + }, + "azureAcrPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAcrPrivateDnsZoneId]" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventHubNamespacePrivateDnsZoneId]" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureMachineLearningWorkspacePrivateDnsZoneId]" + }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureMachineLearningWorkspaceSecondPrivateDnsZoneId]" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId]" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCognitiveSearchPrivateDnsZoneId]" + }, + + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureVirtualDesktopHostpoolPrivateDnsZoneId]" + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureVirtualDesktopWorkspacePrivateDnsZoneId]" + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotDeviceupdatePrivateDnsZoneId]" + }, + + "azureStorageTablePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageTablePrivateDnsZoneId]" + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageTableSecondaryPrivateDnsZoneId]" + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryBackupPrivateDnsZoneID]" + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryBlobPrivateDnsZoneID]" + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryQueuePrivateDnsZoneID]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployPrivateDnsZones]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployPrivateDnsZones]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[variables('policyRbac')]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId)]" + } + } + ], + "outputs": { + "principalId": { + "type": "string", + "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId]" + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index fc77ee5981..11df0daf3f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.0.1", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -25,6 +25,159 @@ "description": "Private DNS Zone Identifier" } }, + "azureAutomationWebhookPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationWebhookPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationDSCHybridPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosMongoPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosMongoPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosCassandraPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosGremlinPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPortalPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLODPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseDevPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseDevPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId1": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId1", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId2": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId2", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId3": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId3", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId4": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId4", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId5": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId5", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureWebPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -178,6 +331,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspaceSecondPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -196,6 +358,78 @@ "description": "Private DNS Zone Identifier" } }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopHostpoolPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotDeviceupdatePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTableSecondaryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "effect": { "type": "string", "metadata": { @@ -223,8 +457,8 @@ }, "policyDefinitions": [ { - "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-File-Sync", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", "parameters": { "privateDnsZoneId": { "value": "[[parameters('azureFilePrivateDnsZoneId')]" @@ -236,11 +470,14 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-Web", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureWebPrivateDnsZoneId')]" + "value": "[[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Webhook" }, "effect": { "value": "[[parameters('effect')]" @@ -249,11 +486,14 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + "value": "[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "DSCAndHybridWorker" }, "effect": { "value": "[[parameters('effect')]" @@ -262,11 +502,14 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureAppPrivateDnsZoneId')]" + "value": "[[parameters('azureCosmosSQLPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "SQL" }, "effect": { "value": "[[parameters('effect')]" @@ -275,11 +518,14 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + "value": "[[parameters('azureCosmosMongoPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "MongoDB" }, "effect": { "value": "[[parameters('effect')]" @@ -287,6 +533,336 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Cassandra" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Gremlin" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosTablePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Table" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "dataFactory" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "portal" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureHDInsightPrivateDnsZoneId')]" + }, + "groupId": { + "value": "cluster" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueuePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageFilePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Sql" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "SqlOnDemand" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseDevPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Dev" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", + "parameters": { + "privateDnsZoneId1": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId1')]" + }, + "privateDnsZoneId2": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId2')]" + }, + "privateDnsZoneId3": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId3')]" + }, + "privateDnsZoneId4": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId4')]" + }, + "privateDnsZoneId5": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId5')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", @@ -301,8 +877,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "Deploy-Private-DNS-Azure-KeyVault", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", "parameters": { "privateDnsZoneId": { "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" @@ -450,6 +1026,9 @@ "privateDnsZoneId": { "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + }, "effect": { "value": "[[parameters('effect')]" } @@ -481,6 +1060,90 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "connection" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "feed" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "parameters":{ + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "parameters":{ + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", + "policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "parameters":{ + "privateDnsZone-Backup": { + "value": "[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } } ], "policyDefinitionGroups": null From f636772a61dfe93f645be0c8962d7e56874dbc41 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Thu, 25 Jul 2024 10:30:31 +0800 Subject: [PATCH 04/35] Update for policy VM Auto Shutdown and initiative assignment RegulatoryCompliance --- eslzArm/eslzArm.json | 9 +- ...cDINE-PrivateDNSZonesPolicyAssignment.json | 2 +- ...-RegulatoryCompliancePolicyAssignment.json | 4357 +++++++++++++++++ src/templates/policies.bicep | 2 +- 4 files changed, 4367 insertions(+), 3 deletions(-) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index cea89276be..6954c148e0 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1582,6 +1582,13 @@ }, "azPrivateDnsPolicyAssignment": "[variables('azPrivateDnsPolicyAssignmentMapping')[environment().resourceManager]]", + // Referring to different Policy Set definition for different cloud enviornment + "regulatoryCompliancePolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json", + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json" + + }, + "regulatoryCompliancePolicy": "[variables('regulatoryCompliancePolicyAssignmentMapping')[environment().resourceManager]]", "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", @@ -1600,7 +1607,7 @@ "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]", "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", - "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]", + "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, variables('regulatoryCompliancePolicy'))]", "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json index 4c84dcc5f2..ddd80950ce 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -179,7 +179,7 @@ "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.chinacloudapi.cn')]" }, "policyDefinitions": { - "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]" + "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json')]" }, "policyAssignmentNames": { "deployPrivateDnsZones": "Deploy-Private-DNS-Zones", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json new file mode 100644 index 0000000000..ec61d1e5d2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json @@ -0,0 +1,4357 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "policySetDefinitionId": { + "type": "string", + "metadata": { + "description": "Resource ID of the Policy Initative (Set Definition)" + } + }, + "policySetDefinitionDisplayName": { + "type": "string", + "metadata": { + "description": "The Display Name for the Policy Initative (Set Definition)" + } + }, + "policySetDefinitionDescription": { + "type": "string", + "metadata": { + "description": "The Description for the Policy Initative (Set Definition)" + } + }, + "policyAssignmentName": { + "type": "string", + "metadata": { + "description": "The name for the Policy Assignment" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The Resource ID of the Log Analytics Workspace" + } + }, + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParAusGovIsmRestrictedResourceTypes": { + "type": "string", + "defaultValue": "all" + }, + "regCompPolParMPAACertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAARBatchMetricName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSovBaseConfRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSovBaseGlobalRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSwift2020VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSwift2020DomainFqdn": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCisV2KeyVaultKeysRotateDays": { + "type": "int", + "defaultValue": 90 + }, + "regCompPolParCmmcL3VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCmmcL3VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaCertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSoc2Type2AllowedRegistries": { + "type": "string", + "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + }, + "regCompPolParSoc2Type2MaxCpuUnits": { + "type": "string", + "defaultValue": "200m" + }, + "regCompPolParSoc2Type2MaxMemoryBytes": { + "type": "string", + "defaultValue": "1Gi" + } + }, + "variables": { + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('policyAssignmentName')))]" + }, + "knownPolicyInitativeDefinitionIdsThatRequireParamaeters": [ + "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077", + "/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8", + "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523", + "/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22", + "/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87", + "/providers/Microsoft.Authorization/policySetDefinitions/06f19060-9e68-4070-92ca-f15cc126059e", + "/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de", + "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d", + "/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a", + "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9", + "/providers/Microsoft.Authorization/policySetDefinitions/4054785f-702b-4a98-9215-009cbd58b141" + ], + "allResourceTypes": [ + "Microsoft.Security/operations", + "Microsoft.Security/securityStatuses", + "Microsoft.Security/tasks", + "Microsoft.Security/secureScores", + "Microsoft.Security/secureScores/secureScoreControls", + "Microsoft.Security/secureScoreControls", + "Microsoft.Security/secureScoreControlDefinitions", + "Microsoft.Security/connectors", + "Microsoft.Security/regulatoryComplianceStandards", + "Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls", + "Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls/regulatoryComplianceAssessments", + "Microsoft.Security/alerts", + "Microsoft.Security/alertsSuppressionRules", + "Microsoft.Security/autoDismissAlertsRules", + "Microsoft.Security/dataCollectionAgents", + "Microsoft.Security/pricings", + "Microsoft.Security/pricings/securityOperators", + "Microsoft.Security/AutoProvisioningSettings", + "Microsoft.Security/MdeOnboardings", + "Microsoft.Security/vmScanners", + "Microsoft.Security/Compliances", + "Microsoft.Security/securityContacts", + "Microsoft.Security/workspaceSettings", + "Microsoft.Security/complianceResults", + "Microsoft.Security/policies", + "Microsoft.Security/assessments", + "Microsoft.Security/governanceRules", + "Microsoft.Security/assessments/governanceAssignments", + "Microsoft.Security/assessmentMetadata", + "Microsoft.Security/subAssessments", + "Microsoft.Security/securitySolutions", + "Microsoft.Security/locations/securitySolutions", + "Microsoft.Security/discoveredSecuritySolutions", + "Microsoft.Security/locations/discoveredSecuritySolutions", + "Microsoft.Security/allowedConnections", + "Microsoft.Security/locations/allowedConnections", + "Microsoft.Security/topologies", + "Microsoft.Security/locations/topologies", + "Microsoft.Security/securitySolutionsReferenceData", + "Microsoft.Security/locations/securitySolutionsReferenceData", + "Microsoft.Security/jitPolicies", + "Microsoft.Security/jitNetworkAccessPolicies", + "Microsoft.Security/locations/jitNetworkAccessPolicies", + "Microsoft.Security/locations", + "Microsoft.Security/securityStatusesSummaries", + "Microsoft.Security/applicationWhitelistings", + "Microsoft.Security/locations/applicationWhitelistings", + "Microsoft.Security/locations/alerts", + "Microsoft.Security/locations/tasks", + "Microsoft.Security/externalSecuritySolutions", + "Microsoft.Security/locations/externalSecuritySolutions", + "Microsoft.Security/InformationProtectionPolicies", + "Microsoft.Security/advancedThreatProtectionSettings", + "Microsoft.Security/sqlVulnerabilityAssessments", + "Microsoft.Security/deviceSecurityGroups", + "Microsoft.Security/iotSecuritySolutions", + "Microsoft.Security/iotSecuritySolutions/analyticsModels", + "Microsoft.Security/iotSecuritySolutions/iotAlertTypes", + "Microsoft.Security/iotSecuritySolutions/iotAlerts", + "Microsoft.Security/iotSecuritySolutions/iotRecommendationTypes", + "Microsoft.Security/iotSecuritySolutions/iotRecommendations", + "Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts", + "Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedRecommendations", + "Microsoft.Security/settings", + "Microsoft.Security/serverVulnerabilityAssessments", + "Microsoft.Security/serverVulnerabilityAssessmentsSettings", + "Microsoft.Security/adaptiveNetworkHardenings", + "Microsoft.Security/automations", + "Microsoft.Security/defenderForStorageSettings", + "Microsoft.Security/dataScanners", + "Microsoft.Security/securityConnectors", + "Microsoft.Security/securityConnectors/devops", + "Microsoft.Security/customRecommendations", + "Microsoft.Security/customAssessmentAutomations", + "Microsoft.Security/securityStandards", + "Microsoft.Security/standards", + "Microsoft.Security/standardAssignments", + "Microsoft.Security/assignments", + "Microsoft.Security/sensitivitySettings", + "Microsoft.Security/query", + "Microsoft.Security/applications", + "Microsoft.Security/apiCollections", + "Microsoft.Security/healthReports", + "Microsoft.Security/aggregations", + "Microsoft.Security/integrations", + "Microsoft.PolicyInsights/policyEvents", + "Microsoft.PolicyInsights/policyStates", + "Microsoft.PolicyInsights/operations", + "Microsoft.PolicyInsights/asyncOperationResults", + "Microsoft.PolicyInsights/remediations", + "Microsoft.PolicyInsights/eventGridFilters", + "Microsoft.PolicyInsights/checkPolicyRestrictions", + "Microsoft.PolicyInsights/policyTrackedResources", + "Microsoft.PolicyInsights/policyMetadata", + "Microsoft.Management/resources", + "Microsoft.Management/managementGroups", + "Microsoft.Management/getEntities", + "Microsoft.Management/managementGroups/settings", + "Microsoft.Management/checkNameAvailability", + "Microsoft.Management/operationResults", + "Microsoft.Management/operationResults/asyncOperation", + "Microsoft.Management/operations", + "Microsoft.Management/tenantBackfillStatus", + "Microsoft.Management/startTenantBackfill", + "Microsoft.Storage/storageAccounts/storageTaskAssignments", + "Microsoft.Storage/storageAccounts/encryptionScopes", + "Microsoft.Storage/deletedAccounts", + "Microsoft.Storage/locations/deletedAccounts", + "Microsoft.Storage/storageAccounts", + "Microsoft.Storage/storageTasks", + "Microsoft.Storage/operations", + "Microsoft.Storage/locations/asyncoperations", + "Microsoft.Storage/storageAccounts/listAccountSas", + "Microsoft.Storage/storageAccounts/listServiceSas", + "Microsoft.Storage/storageAccounts/blobServices", + "Microsoft.Storage/storageAccounts/tableServices", + "Microsoft.Storage/storageAccounts/queueServices", + "Microsoft.Storage/storageAccounts/fileServices", + "Microsoft.Storage/locations", + "Microsoft.Storage/locations/usages", + "Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Storage/usages", + "Microsoft.Storage/checkNameAvailability", + "Microsoft.Storage/locations/checkNameAvailability", + "Microsoft.Storage/storageAccounts/services", + "Microsoft.Storage/storageAccounts/services/metricDefinitions", + "Microsoft.Storage/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.OperationalInsights/workspaces", + "Microsoft.OperationalInsights/querypacks", + "Microsoft.OperationalInsights/locations", + "Microsoft.OperationalInsights/locations/operationStatuses", + "Microsoft.OperationalInsights/workspaces/scopedPrivateLinkProxies", + "Microsoft.OperationalInsights/workspaces/api", + "Microsoft.OperationalInsights/workspaces/query", + "Microsoft.OperationalInsights/workspaces/metadata", + "Microsoft.OperationalInsights/workspaces/purge", + "Microsoft.OperationalInsights/workspaces/operations", + "Microsoft.OperationalInsights/workspaces/dataSources", + "Microsoft.OperationalInsights/workspaces/linkedStorageAccounts", + "Microsoft.OperationalInsights/workspaces/tables", + "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", + "Microsoft.OperationalInsights/storageInsightConfigs", + "Microsoft.OperationalInsights/workspaces/linkedServices", + "Microsoft.OperationalInsights/linkTargets", + "Microsoft.OperationalInsights/deletedWorkspaces", + "Microsoft.OperationalInsights/operations", + "Microsoft.OperationalInsights/clusters", + "Microsoft.OperationalInsights/workspaces/dataExports", + "Microsoft.OperationalInsights/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Automation/automationAccounts", + "Microsoft.Automation/deletedAutomationAccounts", + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/configurations", + "Microsoft.Automation/automationAccounts/webhooks", + "Microsoft.Automation/operations", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurationRuns", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurationMachineRuns", + "Microsoft.Automation/automationAccounts/jobs", + "Microsoft.Automation/automationAccounts/privateLinkResources", + "Microsoft.Automation/automationAccounts/privateEndpointConnections", + "Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers", + "Microsoft.Automation/automationAccounts/agentRegistrationInformation", + "Microsoft.Network/virtualNetworkGateways", + "Microsoft.Network/localNetworkGateways", + "Microsoft.Network/connections", + "Microsoft.Network/applicationGateways", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/expressRouteServiceProviders", + "Microsoft.Network/applicationGatewayAvailableWafRuleSets", + "Microsoft.Network/applicationGatewayAvailableSslOptions", + "Microsoft.Network/applicationGatewayAvailableServerVariables", + "Microsoft.Network/applicationGatewayAvailableRequestHeaders", + "Microsoft.Network/applicationGatewayAvailableResponseHeaders", + "Microsoft.Network/routeFilters", + "Microsoft.Network/bgpServiceCommunities", + "Microsoft.Network/vpnSites", + "Microsoft.Network/vpnServerConfigurations", + "Microsoft.Network/virtualHubs", + "Microsoft.Network/vpnGateways", + "Microsoft.Network/p2sVpnGateways", + "Microsoft.Network/expressRouteGateways", + "Microsoft.Network/expressRoutePortsLocations", + "Microsoft.Network/expressRoutePorts", + "Microsoft.Network/securityPartnerProviders", + "Microsoft.Network/azureFirewalls", + "Microsoft.Network/azureFirewallFqdnTags", + "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies", + "Microsoft.Network/locations/ApplicationGatewayWafDynamicManifests", + "Microsoft.Network/virtualWans", + "Microsoft.Network/bastionHosts", + "Microsoft.Network/queryExpressRoutePortsBandwidth", + "Microsoft.Network/trafficmanagerprofiles", + "Microsoft.Network/trafficmanagerprofiles/heatMaps", + "Microsoft.Network/trafficmanagerprofiles/azureendpoints", + "Microsoft.Network/trafficmanagerprofiles/externalendpoints", + "Microsoft.Network/trafficmanagerprofiles/nestedendpoints", + "Microsoft.Network/checkTrafficManagerNameAvailability", + "Microsoft.Network/checkTrafficManagerNameAvailabilityV2", + "Microsoft.Network/trafficManagerUserMetricsKeys", + "Microsoft.Network/trafficManagerGeographicHierarchies", + "Microsoft.Network/expressRouteProviderPorts", + "Microsoft.Network/locations/hybridEdgeZone", + "Microsoft.Network/firewallPolicies", + "Microsoft.Network/ipGroups", + "Microsoft.Network/azureWebCategories", + "Microsoft.Network/locations/nfvOperations", + "Microsoft.Network/locations/nfvOperationResults", + "Microsoft.Network/virtualRouters", + "Microsoft.Network/networkVirtualAppliances", + "Microsoft.Network/networkVirtualApplianceSkus", + "Microsoft.Network/frontdoorOperationResults", + "Microsoft.Network/checkFrontdoorNameAvailability", + "Microsoft.Network/frontdoors", + "Microsoft.Network/frontdoors/frontendEndpoints", + "Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration", + "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "Microsoft.Network/frontdoorWebApplicationFirewallManagedRuleSets", + "Microsoft.Network/networkExperimentProfiles", + "Microsoft.Network/networkManagers", + "Microsoft.Network/networkManagerConnections", + "Microsoft.Network/networkSecurityPerimeters", + "Microsoft.Network/locations/perimeterAssociableResourceTypes", + "Microsoft.Network/locations/queryNetworkSecurityPerimeter", + "Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveConnectivityConfigurations", + "Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveSecurityAdminRules", + "Microsoft.Network/networkGroupMemberships", + "Microsoft.Network/locations/commitInternalAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/internalAzureVirtualNetworkManagerOperation", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateDnsOperationResults", + "Microsoft.Network/privateDnsOperationStatuses", + "Microsoft.Network/privateDnsZonesInternal", + "Microsoft.Network/privateDnsZones/A", + "Microsoft.Network/privateDnsZones/AAAA", + "Microsoft.Network/privateDnsZones/CNAME", + "Microsoft.Network/privateDnsZones/PTR", + "Microsoft.Network/privateDnsZones/MX", + "Microsoft.Network/privateDnsZones/TXT", + "Microsoft.Network/privateDnsZones/SRV", + "Microsoft.Network/privateDnsZones/SOA", + "Microsoft.Network/privateDnsZones/all", + "Microsoft.Network/virtualNetworks/privateDnsZoneLinks", + "Microsoft.Network/dnsResolvers", + "Microsoft.Network/dnsResolvers/inboundEndpoints", + "Microsoft.Network/dnsResolvers/outboundEndpoints", + "Microsoft.Network/dnsForwardingRulesets", + "Microsoft.Network/dnsForwardingRulesets/forwardingRules", + "Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks", + "Microsoft.Network/virtualNetworks/listDnsResolvers", + "Microsoft.Network/virtualNetworks/listDnsForwardingRulesets", + "Microsoft.Network/locations/dnsResolverOperationResults", + "Microsoft.Network/locations/dnsResolverOperationStatuses", + "Microsoft.Network/locations/dnsResolverPolicyOperationResults", + "Microsoft.Network/locations/dnsResolverPolicyOperationStatuses", + "Microsoft.Network/dnszones", + "Microsoft.Network/dnsOperationResults", + "Microsoft.Network/dnsOperationStatuses", + "Microsoft.Network/getDnsResourceReference", + "Microsoft.Network/internalNotify", + "Microsoft.Network/dnszones/A", + "Microsoft.Network/dnszones/AAAA", + "Microsoft.Network/dnszones/CNAME", + "Microsoft.Network/dnszones/PTR", + "Microsoft.Network/dnszones/MX", + "Microsoft.Network/dnszones/TXT", + "Microsoft.Network/dnszones/SRV", + "Microsoft.Network/dnszones/SOA", + "Microsoft.Network/dnszones/NS", + "Microsoft.Network/dnszones/CAA", + "Microsoft.Network/dnszones/DS", + "Microsoft.Network/dnszones/TLSA", + "Microsoft.Network/dnszones/NAPTR", + "Microsoft.Network/dnszones/recordsets", + "Microsoft.Network/dnszones/all", + "Microsoft.Network/dnszones/dnssecConfigs", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/taggedTrafficConsumers", + "Microsoft.Network/natGateways", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/internalPublicIpAddresses", + "Microsoft.Network/customIpPrefixes", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/dscpConfigurations", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateLinkServiceProxies", + "Microsoft.Network/privateEndpointRedirectMaps", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/applicationSecurityGroups", + "Microsoft.Network/serviceEndpointPolicies", + "Microsoft.Network/networkIntentPolicies", + "Microsoft.Network/routeTables", + "Microsoft.Network/publicIPPrefixes", + "Microsoft.Network/networkWatchers", + "Microsoft.Network/networkWatchers/connectionMonitors", + "Microsoft.Network/networkWatchers/flowLogs", + "Microsoft.Network/networkWatchers/pingMeshes", + "Microsoft.Network/locations", + "Microsoft.Network/locations/operations", + "Microsoft.Network/locations/operationResults", + "Microsoft.Network/locations/CheckDnsNameAvailability", + "Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses", + "Microsoft.Network/cloudServiceSlots", + "Microsoft.Network/locations/usages", + "Microsoft.Network/locations/virtualNetworkAvailableEndpointServices", + "Microsoft.Network/locations/availableDelegations", + "Microsoft.Network/locations/serviceTags", + "Microsoft.Network/locations/availablePrivateEndpointTypes", + "Microsoft.Network/locations/availableServiceAliases", + "Microsoft.Network/locations/checkPrivateLinkServiceVisibility", + "Microsoft.Network/locations/autoApprovedPrivateLinkServices", + "Microsoft.Network/locations/batchValidatePrivateEndpointsForResourceMove", + "Microsoft.Network/locations/batchNotifyPrivateEndpointsForResourceMove", + "Microsoft.Network/locations/supportedVirtualMachineSizes", + "Microsoft.Network/locations/setAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/publishResources", + "Microsoft.Network/locations/getAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/checkAcceleratedNetworkingSupport", + "Microsoft.Network/locations/validateResourceOwnership", + "Microsoft.Network/locations/setResourceOwnership", + "Microsoft.Network/locations/effectiveResourceOwnership", + "Microsoft.Network/operations", + "Microsoft.Network/virtualNetworkTaps", + "Microsoft.Network/privateLinkServices", + "Microsoft.Network/locations/privateLinkServices", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/networkProfiles", + "Microsoft.Network/locations/bareMetalTenants", + "Microsoft.Network/ipAllocations", + "Microsoft.Network/locations/serviceTagDetails", + "Microsoft.Network/locations/dataTasks", + "Microsoft.Network/locations/startPacketTagging", + "Microsoft.Network/locations/deletePacketTagging", + "Microsoft.Network/locations/getPacketTagging", + "Microsoft.Network/locations/rnmEffectiveRouteTable", + "Microsoft.Network/locations/rnmEffectiveNetworkSecurityGroups", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/operations", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachines/VMApplications", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/payloadGroups", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/disks", + "Microsoft.Compute/snapshots", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachineScaleSets/disks", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/images", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.ResourceHealth/availabilityStatuses", + "Microsoft.ResourceHealth/childAvailabilityStatuses", + "Microsoft.ResourceHealth/childResources", + "Microsoft.ResourceHealth/events", + "Microsoft.ResourceHealth/metadata", + "Microsoft.ResourceHealth/emergingissues", + "Microsoft.ResourceHealth/operations", + "microsoft.insights/components", + "microsoft.insights/components/query", + "microsoft.insights/components/metadata", + "microsoft.insights/components/metrics", + "microsoft.insights/components/events", + "microsoft.insights/components/syntheticmonitorlocations", + "microsoft.insights/components/analyticsItems", + "microsoft.insights/components/webtests", + "microsoft.insights/components/workItemConfigs", + "microsoft.insights/components/myFavorites", + "microsoft.insights/components/operations", + "microsoft.insights/components/exportConfiguration", + "microsoft.insights/components/purge", + "microsoft.insights/components/api", + "microsoft.insights/components/aggregate", + "microsoft.insights/components/metricDefinitions", + "microsoft.insights/components/extendQueries", + "microsoft.insights/components/apiKeys", + "microsoft.insights/components/myAnalyticsItems", + "microsoft.insights/components/favorites", + "microsoft.insights/components/defaultWorkItemConfig", + "microsoft.insights/components/annotations", + "microsoft.insights/components/proactiveDetectionConfigs", + "microsoft.insights/components/move", + "microsoft.insights/components/currentBillingFeatures", + "microsoft.insights/components/quotaStatus", + "microsoft.insights/components/featureCapabilities", + "microsoft.insights/components/getAvailableBillingFeatures", + "microsoft.insights/webtests", + "microsoft.insights/webtests/getTestResultFile", + "microsoft.insights/scheduledqueryrules", + "microsoft.insights/components/pricingPlans", + "microsoft.insights/migrateToNewPricingModel", + "microsoft.insights/rollbackToLegacyPricingModel", + "microsoft.insights/listMigrationdate", + "microsoft.insights/logprofiles", + "microsoft.insights/migratealertrules", + "microsoft.insights/metricalerts", + "microsoft.insights/alertrules", + "microsoft.insights/autoscalesettings", + "microsoft.insights/eventtypes", + "microsoft.insights/locations", + "microsoft.insights/locations/operationResults", + "microsoft.insights/vmInsightsOnboardingStatuses", + "microsoft.insights/operations", + "microsoft.insights/diagnosticSettings", + "microsoft.insights/diagnosticSettingsCategories", + "microsoft.insights/extendedDiagnosticSettings", + "microsoft.insights/metricDefinitions", + "microsoft.insights/logDefinitions", + "microsoft.insights/eventCategories", + "microsoft.insights/metrics", + "microsoft.insights/metricbatch", + "microsoft.insights/metricNamespaces", + "microsoft.insights/notificationstatus", + "microsoft.insights/createnotifications", + "microsoft.insights/tenantactiongroups", + "microsoft.insights/actiongroups", + "microsoft.insights/activityLogAlerts", + "microsoft.insights/metricbaselines", + "microsoft.insights/workbooks", + "microsoft.insights/workbooktemplates", + "microsoft.insights/myWorkbooks", + "microsoft.insights/logs", + "microsoft.insights/transactions", + "microsoft.insights/topology", + "microsoft.insights/generateLiveToken", + "microsoft.insights/monitoredObjects", + "microsoft.insights/dataCollectionRules", + "microsoft.insights/dataCollectionRuleAssociations", + "microsoft.insights/dataCollectionEndpoints", + "microsoft.insights/dataCollectionEndpoints/scopedPrivateLinkProxies", + "microsoft.insights/privateLinkScopes", + "microsoft.insights/privateLinkScopes/privateEndpointConnections", + "microsoft.insights/privateLinkScopes/privateEndpointConnectionProxies", + "microsoft.insights/privateLinkScopes/scopedResources", + "microsoft.insights/components/linkedstorageaccounts", + "microsoft.insights/privateLinkScopeOperationStatuses", + "microsoft.insights/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.ManagedServices/registrationDefinitions", + "Microsoft.ManagedServices/registrationAssignments", + "Microsoft.ManagedServices/operations", + "Microsoft.ManagedServices/marketplaceRegistrationDefinitions", + "Microsoft.ManagedServices/operationStatuses", + "Microsoft.HDInsight/clusters", + "Microsoft.HDInsight/clusters/applications", + "Microsoft.HDInsight/clusters/operationresults", + "Microsoft.HDInsight/locations", + "Microsoft.HDInsight/locations/capabilities", + "Microsoft.HDInsight/locations/usages", + "Microsoft.HDInsight/locations/billingSpecs", + "Microsoft.HDInsight/locations/operationresults", + "Microsoft.HDInsight/locations/azureasyncoperations", + "Microsoft.HDInsight/locations/validateCreateRequest", + "Microsoft.HDInsight/operations", + "Microsoft.HDInsight/locations/operationStatuses", + "Microsoft.HDInsight/clusterPools", + "Microsoft.HDInsight/clusterPools/clusters", + "Microsoft.HDInsight/locations/clusterOfferingVersions", + "Microsoft.HDInsight/locations/availableClusterPoolVersions", + "Microsoft.HDInsight/locations/availableClusterVersions", + "Microsoft.HDInsight/locations/checkNameAvailability", + "Microsoft.HDInsight/clusterPools/clusters/serviceConfigs", + "Microsoft.HDInsight/clusterPools/clusters/instanceViews", + "Microsoft.HDInsight/clusterPools/clusters/jobs", + "Microsoft.AlertsManagement/alerts", + "Microsoft.AlertsManagement/alertsSummary", + "Microsoft.AlertsManagement/smartGroups", + "Microsoft.AlertsManagement/smartDetectorAlertRules", + "Microsoft.AlertsManagement/migrateFromSmartDetection", + "Microsoft.AlertsManagement/actionRules", + "Microsoft.AlertsManagement/alertsMetaData", + "Microsoft.AlertsManagement/prometheusRuleGroups", + "Microsoft.AlertsManagement/operations", + "Microsoft.AlertsManagement/alertRuleRecommendations", + "Microsoft.AlertsManagement/tenantActivityLogAlerts", + "Microsoft.AlertsManagement/investigations", + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationsManagement/managementassociations", + "Microsoft.OperationsManagement/views", + "Microsoft.OperationsManagement/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/managedHSMs/keys", + "Microsoft.KeyVault/managedHSMs/keys/versions", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.ContainerService/ManagedClusters/eventGridFilters", + "Microsoft.ContainerService/fleetMemberships", + "Microsoft.ContainerService/fleets", + "Microsoft.ContainerService/fleets/members", + "Microsoft.ContainerService/fleets/updateRuns", + "Microsoft.ContainerService/fleets/updateStrategies", + "Microsoft.ContainerService/locations", + "Microsoft.ContainerService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.ContainerService/locations/operationresults", + "Microsoft.ContainerService/locations/operations", + "Microsoft.ContainerService/locations/orchestrators", + "Microsoft.ContainerService/locations/kubernetesVersions", + "Microsoft.ContainerService/locations/usages", + "Microsoft.ContainerService/locations/osOptions", + "Microsoft.ContainerService/locations/guardrailsVersions", + "Microsoft.ContainerService/locations/trustedAccessRoles", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedclustersnapshots", + "Microsoft.ContainerService/operations", + "Microsoft.ContainerService/snapshots", + "Microsoft.DesktopVirtualization/workspaces", + "Microsoft.DesktopVirtualization/applicationgroups", + "Microsoft.DesktopVirtualization/applicationgroups/applications", + "Microsoft.DesktopVirtualization/applicationgroups/desktops", + "Microsoft.DesktopVirtualization/applicationgroups/startmenuitems", + "Microsoft.DesktopVirtualization/hostpools", + "Microsoft.DesktopVirtualization/hostpools/msixpackages", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions", + "Microsoft.DesktopVirtualization/hostpools/usersessions", + "Microsoft.DesktopVirtualization/scalingplans", + "Microsoft.DesktopVirtualization/appattachpackages", + "Microsoft.DesktopVirtualization/operations", + "Microsoft.SecurityInsights/operations", + "Microsoft.SecurityInsights/alertRules", + "Microsoft.SecurityInsights/alertRuleTemplates", + "Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns", + "Microsoft.SecurityInsights/cases", + "Microsoft.SecurityInsights/bookmarks", + "Microsoft.SecurityInsights/dataConnectors", + "Microsoft.SecurityInsights/dataConnectorDefinitions", + "Microsoft.SecurityInsights/dataConnectorsCheckRequirements", + "Microsoft.SecurityInsights/enrichment", + "Microsoft.SecurityInsights/fileImports", + "Microsoft.SecurityInsights/entities", + "Microsoft.SecurityInsights/incidents", + "Microsoft.SecurityInsights/officeConsents", + "Microsoft.SecurityInsights/settings", + "Microsoft.SecurityInsights/aggregations", + "Microsoft.SecurityInsights/entityQueries", + "Microsoft.SecurityInsights/entityQueryTemplates", + "Microsoft.SecurityInsights/threatIntelligence", + "Microsoft.SecurityInsights/automationRules", + "Microsoft.SecurityInsights/sourceControls", + "Microsoft.SecurityInsights/exportConnections", + "Microsoft.SecurityInsights/listrepositories", + "Microsoft.SecurityInsights/watchlists", + "Microsoft.SecurityInsights/confidentialWatchlists", + "Microsoft.SecurityInsights/huntsessions", + "Microsoft.SecurityInsights/dynamicSummaries", + "Microsoft.SecurityInsights/hunts", + "Microsoft.SecurityInsights/onboardingStates", + "Microsoft.SecurityInsights/metadata", + "Microsoft.SecurityInsights/contentPackages", + "Microsoft.SecurityInsights/contentTemplates", + "Microsoft.SecurityInsights/contentProductPackages", + "Microsoft.SecurityInsights/contentProductTemplates", + "Microsoft.SecurityInsights/MitreCoverageRecords", + "Microsoft.SecurityInsights/overview", + "Microsoft.SecurityInsights/recommendations", + "Microsoft.SecurityInsights/billingStatistics", + "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "Microsoft.SecurityInsights/workspaceManagerMembers", + "Microsoft.SecurityInsights/workspaceManagerGroups", + "Microsoft.SecurityInsights/workspaceManagerAssignments", + "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "Microsoft.SecurityInsights/contenttranslators", + "Microsoft.ServiceFabric/clusters", + "Microsoft.ServiceFabric/clusters/applications", + "Microsoft.ServiceFabric/clusters/applicationTypes", + "Microsoft.ServiceFabric/clusters/applicationTypes/versions", + "Microsoft.ServiceFabric/clusters/applications/services", + "Microsoft.ServiceFabric/locations", + "Microsoft.ServiceFabric/locations/clusterVersions", + "Microsoft.ServiceFabric/locations/environments", + "Microsoft.ServiceFabric/locations/operations", + "Microsoft.ServiceFabric/locations/operationResults", + "Microsoft.ServiceFabric/locations/unsupportedVMSizes", + "Microsoft.ServiceFabric/operations", + "Microsoft.ServiceFabric/managedclusters", + "Microsoft.ServiceFabric/managedclusters/nodetypes", + "Microsoft.ServiceFabric/managedclusters/applicationTypes", + "Microsoft.ServiceFabric/managedclusters/applicationTypes/versions", + "Microsoft.ServiceFabric/managedclusters/applications", + "Microsoft.ServiceFabric/managedclusters/applications/services", + "Microsoft.ServiceFabric/locations/managedClusterOperations", + "Microsoft.ServiceFabric/locations/managedClusterOperationResults", + "Microsoft.ServiceFabric/locations/managedClusterVersions", + "Microsoft.ServiceFabric/locations/environments/managedClusterVersions", + "Microsoft.ServiceFabric/locations/managedUnsupportedVMSizes", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.PowerBIDedicated/autoScaleVCores", + "Microsoft.PowerBIDedicated/locations", + "Microsoft.PowerBIDedicated/locations/checkNameAvailability", + "Microsoft.PowerBIDedicated/locations/operationresults", + "Microsoft.PowerBIDedicated/locations/operationstatuses", + "Microsoft.PowerBIDedicated/operations", + "Microsoft.Logic/workflows", + "Microsoft.Logic/locations/workflows", + "Microsoft.Logic/locations/validateWorkflowExport", + "Microsoft.Logic/locations/workflowExport", + "Microsoft.Logic/locations", + "Microsoft.Logic/operations", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/integrationServiceEnvironments", + "Microsoft.Logic/integrationServiceEnvironments/managedApis", + "Microsoft.Logic/locations/generateCopilotResponse", + "Microsoft.MachineLearningServices/workspaces/batchEndpoints", + "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments", + "Microsoft.MachineLearningServices/workspaces", + "Microsoft.MachineLearningServices/registries", + "Microsoft.MachineLearningServices/locations/registryOperationsStatus", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/skus", + "Microsoft.MachineLearningServices/workspaces/computes", + "Microsoft.MachineLearningServices/workspaces/jobs", + "Microsoft.MachineLearningServices/workspaces/codes", + "Microsoft.MachineLearningServices/workspaces/codes/versions", + "Microsoft.MachineLearningServices/workspaces/components", + "Microsoft.MachineLearningServices/workspaces/components/versions", + "Microsoft.MachineLearningServices/workspaces/environments", + "Microsoft.MachineLearningServices/workspaces/environments/versions", + "Microsoft.MachineLearningServices/workspaces/data", + "Microsoft.MachineLearningServices/workspaces/data/versions", + "Microsoft.MachineLearningServices/workspaces/datasets", + "Microsoft.MachineLearningServices/workspaces/services", + "Microsoft.MachineLearningServices/workspaces/datastores", + "Microsoft.MachineLearningServices/workspaces/eventGridFilters", + "Microsoft.MachineLearningServices/workspaces/models", + "Microsoft.MachineLearningServices/workspaces/models/versions", + "Microsoft.MachineLearningServices/operations", + "Microsoft.MachineLearningServices/locations", + "Microsoft.MachineLearningServices/locations/computeOperationsStatus", + "Microsoft.MachineLearningServices/locations/mfeOperationResults", + "Microsoft.MachineLearningServices/locations/mfeOperationsStatus", + "Microsoft.MachineLearningServices/locations/workspaceOperationsStatus", + "Microsoft.MachineLearningServices/locations/usages", + "Microsoft.MachineLearningServices/locations/vmsizes", + "Microsoft.MachineLearningServices/locations/quotas", + "Microsoft.MachineLearningServices/locations/updatequotas", + "Microsoft.MachineLearningServices/workspaces/linkedServices", + "Microsoft.MachineLearningServices/workspaces/labelingJobs", + "Microsoft.MachineLearningServices/workspaces/schedules", + "Microsoft.MachineLearningServices/workspaces/featuresets", + "Microsoft.MachineLearningServices/workspaces/serverlessEndpoints", + "Microsoft.MachineLearningServices/workspaces/marketplaceSubscriptions", + "Microsoft.MachineLearningServices/workspaces/inferencePools", + "Microsoft.MachineLearningServices/workspaces/inferencePools/groups", + "Microsoft.MachineLearningServices/workspaces/inferencePools/endpoints", + "Microsoft.MachineLearningServices/workspaces/featuresets/versions", + "Microsoft.MachineLearningServices/workspaces/featurestoreEntities", + "Microsoft.MachineLearningServices/workspaces/featurestoreEntities/versions", + "Microsoft.MachineLearningServices/workspaces/endpoints", + "Microsoft.MachineLearningServices/registries/codes", + "Microsoft.MachineLearningServices/registries/codes/versions", + "Microsoft.MachineLearningServices/registries/components", + "Microsoft.MachineLearningServices/registries/components/versions", + "Microsoft.MachineLearningServices/registries/data", + "Microsoft.MachineLearningServices/registries/data/versions", + "Microsoft.MachineLearningServices/registries/datareferences", + "Microsoft.MachineLearningServices/registries/datareferences/versions", + "Microsoft.MachineLearningServices/registries/environments", + "Microsoft.MachineLearningServices/registries/environments/versions", + "Microsoft.MachineLearningServices/registries/models", + "Microsoft.MachineLearningServices/registries/models/versions", + "Microsoft.MachineLearningServices/capacityReservationGroups", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerInstance/serviceAssociationLinks", + "Microsoft.ContainerInstance/locations", + "Microsoft.ContainerInstance/locations/capabilities", + "Microsoft.ContainerInstance/locations/usages", + "Microsoft.ContainerInstance/locations/operations", + "Microsoft.ContainerInstance/locations/operationresults", + "Microsoft.ContainerInstance/operations", + "Microsoft.ContainerInstance/locations/cachedImages", + "Microsoft.ContainerInstance/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.ContainerInstance/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ManagedIdentity/Identities", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.ManagedIdentity/operations", + "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", + "Microsoft.Cdn/profiles", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.Cdn/profiles/endpoints/origins", + "Microsoft.Cdn/profiles/endpoints/origingroups", + "Microsoft.Cdn/profiles/endpoints/customdomains", + "Microsoft.Cdn/operationresults", + "Microsoft.Cdn/operationresults/profileresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/originresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/origingroupresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults", + "Microsoft.Cdn/checkNameAvailability", + "Microsoft.Cdn/checkEndpointNameAvailability", + "Microsoft.Cdn/checkResourceUsage", + "Microsoft.Cdn/validateProbe", + "Microsoft.Cdn/canMigrate", + "Microsoft.Cdn/migrate", + "Microsoft.Cdn/operations", + "Microsoft.Cdn/edgenodes", + "Microsoft.Cdn/CdnWebApplicationFirewallPolicies", + "Microsoft.Cdn/operationresults/cdnwebapplicationfirewallpolicyresults", + "Microsoft.Cdn/CdnWebApplicationFirewallManagedRuleSets", + "Microsoft.Cdn/profiles/afdendpoints", + "Microsoft.Cdn/profiles/afdendpoints/routes", + "Microsoft.Cdn/profiles/customdomains", + "Microsoft.Cdn/profiles/origingroups", + "Microsoft.Cdn/profiles/origingroups/origins", + "Microsoft.Cdn/profiles/rulesets", + "Microsoft.Cdn/profiles/rulesets/rules", + "Microsoft.Cdn/profiles/secrets", + "Microsoft.Cdn/validateSecret", + "Microsoft.Cdn/profiles/keygroups", + "Microsoft.Cdn/profiles/securitypolicies", + "Microsoft.Cdn/operationresults/profileresults/afdendpointresults", + "Microsoft.Cdn/operationresults/profileresults/afdendpointresults/routeresults", + "Microsoft.Cdn/operationresults/profileresults/customdomainresults", + "Microsoft.Cdn/operationresults/profileresults/origingroupresults", + "Microsoft.Cdn/operationresults/profileresults/origingroupresults/originresults", + "Microsoft.Cdn/operationresults/profileresults/rulesetresults", + "Microsoft.Cdn/operationresults/profileresults/rulesetresults/ruleresults", + "Microsoft.Cdn/operationresults/profileresults/secretresults", + "Microsoft.Cdn/operationresults/profileresults/securitypolicyresults", + "Microsoft.Cdn/profiles/policies", + "Microsoft.Cdn/profiles/networkpolicies", + "Microsoft.Cdn/operationresults/profileresults/policyresults", + "Microsoft.BotService/botServices", + "Microsoft.BotService/botServices/channels", + "Microsoft.BotService/botServices/connections", + "Microsoft.BotService/listAuthServiceProviders", + "Microsoft.BotService/listQnAMakerEndpointKeys", + "Microsoft.BotService/hostSettings", + "Microsoft.BotService/checkNameAvailability", + "Microsoft.BotService/locations", + "Microsoft.BotService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.BotService/operations", + "Microsoft.BotService/botServices/privateEndpointConnectionProxies", + "Microsoft.BotService/botServices/privateEndpointConnections", + "Microsoft.BotService/botServices/privateLinkResources", + "Microsoft.BotService/operationResults", + "Microsoft.Devices/checkNameAvailability", + "Microsoft.Devices/checkProvisioningServiceNameAvailability", + "Microsoft.Devices/usages", + "Microsoft.Devices/operations", + "Microsoft.Devices/operationResults", + "Microsoft.Devices/provisioningServiceOperationResults", + "Microsoft.Devices/locations/provisioningServiceOperationResults", + "Microsoft.Devices/locations", + "Microsoft.Devices/locations/operationResults", + "Microsoft.Devices/IotHubs", + "Microsoft.Devices/IotHubs/eventGridFilters", + "Microsoft.Devices/IotHubs/failover", + "Microsoft.Devices/ProvisioningServices", + "Microsoft.Devices/IotHubs/securitySettings", + "Microsoft.Databricks/workspaces", + "Microsoft.Databricks/accessConnectors", + "Microsoft.Databricks/workspaces/virtualNetworkPeerings", + "Microsoft.Databricks/workspaces/dbWorkspaces", + "Microsoft.Databricks/operations", + "Microsoft.Databricks/locations", + "Microsoft.Databricks/locations/operationstatuses", + "Microsoft.Databricks/locations/getNetworkPolicies", + "Microsoft.EventGrid/locations", + "Microsoft.EventGrid/locations/eventSubscriptions", + "Microsoft.EventGrid/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventGrid/domains", + "Microsoft.EventGrid/domains/topics", + "Microsoft.EventGrid/topicTypes", + "Microsoft.EventGrid/operations", + "Microsoft.EventGrid/locations/operationsStatus", + "Microsoft.EventGrid/locations/operationResults", + "Microsoft.EventGrid/locations/topicTypes", + "Microsoft.EventGrid/extensionTopics", + "Microsoft.EventGrid/operationResults", + "Microsoft.EventGrid/operationsStatus", + "Microsoft.EventGrid/systemTopics", + "Microsoft.EventGrid/systemTopics/eventSubscriptions", + "Microsoft.EventGrid/partnerRegistrations", + "Microsoft.EventGrid/partnerConfigurations", + "Microsoft.EventGrid/verifiedPartners", + "Microsoft.EventGrid/namespaces", + "Microsoft.EventGrid/partnerNamespaces", + "Microsoft.EventGrid/partnerTopics", + "Microsoft.EventGrid/partnerTopics/eventSubscriptions", + "Microsoft.EventGrid/partnerNamespaces/eventChannels", + "Microsoft.EventGrid/partnerNamespaces/channels", + "Microsoft.EventGrid/partnerDestinations", + "Microsoft.DBforPostgreSQL/operations", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.DBforPostgreSQL/serverGroupsv2", + "Microsoft.DBforPostgreSQL/flexibleServers", + "Microsoft.DBforPostgreSQL/locations/capabilities", + "Microsoft.DBforPostgreSQL/locations/checkNameAvailability", + "Microsoft.DBforPostgreSQL/servers/recoverableServers", + "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules", + "Microsoft.DBforPostgreSQL/checkNameAvailability", + "Microsoft.DBforPostgreSQL/availableEngineVersions", + "Microsoft.DBforPostgreSQL/getPrivateDnsZoneSuffix", + "Microsoft.DBforPostgreSQL/locations", + "Microsoft.DBforPostgreSQL/locations/operationResults", + "Microsoft.DBforPostgreSQL/locations/azureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/administratorOperationResults", + "Microsoft.DBforPostgreSQL/locations/administratorAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/checkVirtualNetworkSubnetUsage", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/performanceTiers", + "Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforPostgreSQL/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforPostgreSQL/servers/topQueryStatistics", + "Microsoft.DBforPostgreSQL/servers/queryTexts", + "Microsoft.DBforPostgreSQL/servers/waitStatistics", + "Microsoft.DBforPostgreSQL/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforPostgreSQL/servers/advisors", + "Microsoft.DBforPostgreSQL/servers/privateLinkResources", + "Microsoft.DBforPostgreSQL/servers/privateEndpointConnections", + "Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies", + "Microsoft.DBforPostgreSQL/servers/keys", + "Microsoft.DBforPostgreSQL/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/serverKeyOperationResults", + "Microsoft.DBforPostgreSQL/locations/getCachedServerName", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.TimeSeriesInsights/environments/eventsources", + "Microsoft.TimeSeriesInsights/environments/referenceDataSets", + "Microsoft.TimeSeriesInsights/environments/accessPolicies", + "Microsoft.TimeSeriesInsights/environments/privateLinkResources", + "Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies", + "Microsoft.TimeSeriesInsights/environments/privateEndpointConnections", + "Microsoft.TimeSeriesInsights/operations", + "Microsoft.DBforMariaDB/operations", + "Microsoft.DBforMariaDB/servers", + "Microsoft.DBforMariaDB/servers/recoverableServers", + "Microsoft.DBforMariaDB/servers/virtualNetworkRules", + "Microsoft.DBforMariaDB/checkNameAvailability", + "Microsoft.DBforMariaDB/locations", + "Microsoft.DBforMariaDB/locations/operationResults", + "Microsoft.DBforMariaDB/locations/azureAsyncOperation", + "Microsoft.DBforMariaDB/locations/performanceTiers", + "Microsoft.DBforMariaDB/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforMariaDB/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforMariaDB/servers/topQueryStatistics", + "Microsoft.DBforMariaDB/servers/queryTexts", + "Microsoft.DBforMariaDB/servers/waitStatistics", + "Microsoft.DBforMariaDB/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforMariaDB/servers/advisors", + "Microsoft.DBforMariaDB/servers/privateLinkResources", + "Microsoft.DBforMariaDB/servers/privateEndpointConnections", + "Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies", + "Microsoft.DBforMariaDB/servers/keys", + "Microsoft.DBforMariaDB/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/serverKeyOperationResults", + "Microsoft.DBforMariaDB/servers/start", + "Microsoft.DBforMariaDB/servers/stop", + "Microsoft.Cache/Redis", + "Microsoft.Cache/Redis/privateEndpointConnectionProxies", + "Microsoft.Cache/Redis/privateEndpointConnectionProxies/validate", + "Microsoft.Cache/Redis/privateEndpointConnections", + "Microsoft.Cache/Redis/privateLinkResources", + "Microsoft.Cache/locations/asyncOperations", + "Microsoft.Cache/locations", + "Microsoft.Cache/locations/operationResults", + "Microsoft.Cache/locations/operationsStatus", + "Microsoft.Cache/checkNameAvailability", + "Microsoft.Cache/operations", + "Microsoft.Cache/redisEnterprise", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies/validate", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies/operationresults", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnections", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnections/operationresults", + "Microsoft.Cache/RedisEnterprise/privateLinkResources", + "Microsoft.Cache/redisEnterprise/databases", + "Microsoft.Cache/locations/checkNameAvailability", + "Microsoft.Cache/Redis/EventGridFilters", + "Microsoft.RecoveryServices/vaults", + "Microsoft.RecoveryServices/operations", + "Microsoft.RecoveryServices/locations", + "Microsoft.RecoveryServices/locations/backupStatus", + "Microsoft.RecoveryServices/locations/checkNameAvailability", + "Microsoft.RecoveryServices/locations/allocatedStamp", + "Microsoft.RecoveryServices/locations/allocateStamp", + "Microsoft.RecoveryServices/locations/backupValidateFeatures", + "Microsoft.RecoveryServices/locations/backupPreValidateProtection", + "Microsoft.RecoveryServices/locations/backupCrrJobs", + "Microsoft.RecoveryServices/locations/backupCrrJob", + "Microsoft.RecoveryServices/locations/backupAadProperties", + "Microsoft.RecoveryServices/locations/backupCrossRegionRestore", + "Microsoft.RecoveryServices/locations/backupCrrOperationResults", + "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus", + "Microsoft.RecoveryServices/backupProtectedItems", + "Microsoft.RecoveryServices/replicationEligibilityResults", + "Microsoft.RecoveryServices/locations/capabilities", + "Microsoft.ServiceBus/namespaces", + "Microsoft.ServiceBus/namespaces/authorizationrules", + "Microsoft.ServiceBus/namespaces/networkrulesets", + "Microsoft.ServiceBus/namespaces/privateEndpointConnections", + "Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies", + "Microsoft.ServiceBus/namespaces/queues", + "Microsoft.ServiceBus/namespaces/queues/authorizationrules", + "Microsoft.ServiceBus/namespaces/topics", + "Microsoft.ServiceBus/namespaces/topics/authorizationrules", + "Microsoft.ServiceBus/namespaces/topics/subscriptions", + "Microsoft.ServiceBus/namespaces/topics/subscriptions/rules", + "Microsoft.ServiceBus/checkNamespaceAvailability", + "Microsoft.ServiceBus/checkNameAvailability", + "Microsoft.ServiceBus/sku", + "Microsoft.ServiceBus/premiumMessagingRegions", + "Microsoft.ServiceBus/operations", + "Microsoft.ServiceBus/namespaces/eventgridfilters", + "Microsoft.ServiceBus/namespaces/disasterrecoveryconfigs", + "Microsoft.ServiceBus/namespaces/migrationConfigurations", + "Microsoft.ServiceBus/namespaces/disasterrecoveryconfigs/checkNameAvailability", + "Microsoft.ServiceBus/locations", + "Microsoft.ServiceBus/locations/operationStatus", + "Microsoft.ServiceBus/locations/namespaceOperationResults", + "Microsoft.ServiceBus/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ServiceFabricMesh/applications", + "Microsoft.ServiceFabricMesh/networks", + "Microsoft.ServiceFabricMesh/volumes", + "Microsoft.ServiceFabricMesh/secrets", + "Microsoft.ServiceFabricMesh/gateways", + "Microsoft.ServiceFabricMesh/locations", + "Microsoft.ServiceFabricMesh/locations/applicationOperations", + "Microsoft.ServiceFabricMesh/locations/networkOperations", + "Microsoft.ServiceFabricMesh/locations/volumeOperations", + "Microsoft.ServiceFabricMesh/locations/gatewayOperations", + "Microsoft.ServiceFabricMesh/locations/secretOperations", + "Microsoft.ServiceFabricMesh/operations", + "Microsoft.NotificationHubs/namespaces", + "Microsoft.NotificationHubs/namespaces/notificationHubs", + "Microsoft.NotificationHubs/checkNamespaceAvailability", + "Microsoft.NotificationHubs/checkNameAvailability", + "Microsoft.NotificationHubs/operations", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerRegistry/registries/cacheRules", + "Microsoft.ContainerRegistry/registries/credentialSets", + "Microsoft.ContainerRegistry/registries/connectedRegistries", + "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate", + "Microsoft.ContainerRegistry/registries/scopeMaps", + "Microsoft.ContainerRegistry/registries/tokens", + "Microsoft.ContainerRegistry/registries/generateCredentials", + "Microsoft.ContainerRegistry/registries/privateEndpointConnections", + "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies", + "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/validate", + "Microsoft.ContainerRegistry/registries/privateLinkResources", + "Microsoft.ContainerRegistry/registries/importImage", + "Microsoft.ContainerRegistry/registries/exportPipelines", + "Microsoft.ContainerRegistry/registries/importPipelines", + "Microsoft.ContainerRegistry/registries/pipelineRuns", + "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl", + "Microsoft.ContainerRegistry/registries/scheduleRun", + "Microsoft.ContainerRegistry/registries/runs", + "Microsoft.ContainerRegistry/registries/taskRuns", + "Microsoft.ContainerRegistry/registries/taskRuns/listDetails", + "Microsoft.ContainerRegistry/registries/agentPools", + "Microsoft.ContainerRegistry/registries/agentPoolsOperationResults", + "Microsoft.ContainerRegistry/registries/agentPools/listQueueStatus", + "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl", + "Microsoft.ContainerRegistry/registries/runs/cancel", + "Microsoft.ContainerRegistry/registries/tasks", + "Microsoft.ContainerRegistry/registries/tasks/listDetails", + "Microsoft.ContainerRegistry/registries/replications", + "Microsoft.ContainerRegistry/registries/webhooks", + "Microsoft.ContainerRegistry/registries/webhooks/ping", + "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig", + "Microsoft.ContainerRegistry/registries/webhooks/listEvents", + "Microsoft.ContainerRegistry/locations/operationResults", + "Microsoft.ContainerRegistry/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ContainerRegistry/registries/listCredentials", + "Microsoft.ContainerRegistry/registries/regenerateCredential", + "Microsoft.ContainerRegistry/registries/listUsages", + "Microsoft.ContainerRegistry/registries/listPolicies", + "Microsoft.ContainerRegistry/registries/updatePolicies", + "Microsoft.ContainerRegistry/registries/eventGridFilters", + "Microsoft.ContainerRegistry/checkNameAvailability", + "Microsoft.ContainerRegistry/operations", + "Microsoft.ContainerRegistry/locations", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.StreamAnalytics/clusters", + "Microsoft.StreamAnalytics/clusters/privateEndpoints", + "Microsoft.StreamAnalytics/locations", + "Microsoft.StreamAnalytics/locations/quotas", + "Microsoft.StreamAnalytics/locations/testQuery", + "Microsoft.StreamAnalytics/locations/compileQuery", + "Microsoft.StreamAnalytics/locations/sampleInput", + "Microsoft.StreamAnalytics/locations/testInput", + "Microsoft.StreamAnalytics/locations/testOutput", + "Microsoft.StreamAnalytics/locations/operationResults", + "Microsoft.StreamAnalytics/operations", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/containers", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/containers/listSasTokens", + "Microsoft.DataLakeAnalytics/locations", + "Microsoft.DataLakeAnalytics/locations/operationresults", + "Microsoft.DataLakeAnalytics/locations/checkNameAvailability", + "Microsoft.DataLakeAnalytics/locations/capability", + "Microsoft.DataLakeAnalytics/locations/usages", + "Microsoft.DataLakeAnalytics/operations", + "Microsoft.Relay/namespaces", + "Microsoft.Relay/namespaces/authorizationrules", + "Microsoft.Relay/namespaces/privateEndpointConnections", + "Microsoft.Relay/namespaces/privateEndpointConnectionProxies", + "Microsoft.Relay/namespaces/hybridconnections", + "Microsoft.Relay/namespaces/hybridconnections/authorizationrules", + "Microsoft.Relay/namespaces/wcfrelays", + "Microsoft.Relay/namespaces/wcfrelays/authorizationrules", + "Microsoft.Relay/checkNameAvailability", + "Microsoft.Relay/operations", + "Microsoft.Relay/locations", + "Microsoft.Relay/locations/namespaceOperationResults", + // Not supported in Mooncake + /* + "Microsoft.DevTestLab/labs/environments", + "Microsoft.DevTestLab/labs", + "Microsoft.DevTestLab/schedules", + "Microsoft.DevTestLab/labs/virtualMachines", + "Microsoft.DevTestLab/labs/serviceRunners", + "Microsoft.DevTestLab/operations", + "Microsoft.DevTestLab/locations", + "Microsoft.DevTestLab/locations/operations", + */ + "Microsoft.EventHub/namespaces", + "Microsoft.EventHub/clusters", + "Microsoft.EventHub/namespaces/authorizationrules", + "Microsoft.EventHub/namespaces/networkrulesets", + "Microsoft.EventHub/namespaces/privateEndpointConnections", + "Microsoft.EventHub/namespaces/privateEndpointConnectionProxies", + "Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations", + "Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies", + "Microsoft.EventHub/namespaces/eventhubs", + "Microsoft.EventHub/namespaces/eventhubs/authorizationrules", + "Microsoft.EventHub/namespaces/eventhubs/consumergroups", + "Microsoft.EventHub/namespaces/applicationGroups", + "Microsoft.EventHub/checkNamespaceAvailability", + "Microsoft.EventHub/checkNameAvailability", + "Microsoft.EventHub/sku", + "Microsoft.EventHub/operations", + "Microsoft.EventHub/namespaces/disasterrecoveryconfigs", + "Microsoft.EventHub/namespaces/disasterrecoveryconfigs/checkNameAvailability", + "Microsoft.EventHub/locations", + "Microsoft.EventHub/locations/operationStatus", + "Microsoft.EventHub/locations/clusterOperationResults", + "Microsoft.EventHub/locations/namespaceOperationResults", + "Microsoft.EventHub/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.EventHub/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.EventHub/availableClusterRegions", + "Microsoft.AppPlatform/Spring", + "Microsoft.AppPlatform/Spring/operationResults", + "Microsoft.AppPlatform/Spring/operationStatuses", + "Microsoft.AppPlatform/Spring/apps", + "Microsoft.AppPlatform/Spring/apps/operationResults", + "Microsoft.AppPlatform/Spring/apps/operationStatuses", + "Microsoft.AppPlatform/Spring/apps/deployments", + "Microsoft.AppPlatform/Spring/apps/deployments/operationResults", + "Microsoft.AppPlatform/Spring/apps/deployments/operationStatuses", + "Microsoft.AppPlatform/Spring/configServers", + "Microsoft.AppPlatform/Spring/configServers/operationResults", + "Microsoft.AppPlatform/Spring/configServers/operationStatuses", + "Microsoft.AppPlatform/Spring/eurekaServers", + "Microsoft.AppPlatform/Spring/eurekaServers/operationResults", + "Microsoft.AppPlatform/Spring/eurekaServers/operationStatuses", + "Microsoft.AppPlatform/Spring/apps/domains", + "Microsoft.AppPlatform/Spring/apps/domains/operationResults", + "Microsoft.AppPlatform/Spring/apps/domains/operationStatuses", + "Microsoft.AppPlatform/locations/checkNameAvailability", + "Microsoft.AppPlatform/operations", + "Microsoft.AppPlatform/locations", + "Microsoft.AppPlatform/runtimeVersions", + "Microsoft.AppPlatform/locations/operationResults", + "Microsoft.AppPlatform/locations/operationStatus", + "Microsoft.CustomProviders/resourceProviders", + "Microsoft.CustomProviders/resourceProviders/operationResults", + "Microsoft.CustomProviders/resourceProviders/operationStatuses", + "Microsoft.CustomProviders/associations", + "Microsoft.CustomProviders/operations", + "Microsoft.CustomProviders/locations", + "Microsoft.CustomProviders/locations/operationStatuses", + "Microsoft.CustomProviders/locations/operationResults", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DocumentDB/databaseAccountNames", + "Microsoft.DocumentDB/operations", + "Microsoft.DocumentDB/operationResults", + "Microsoft.DocumentDB/operationsStatus", + "Microsoft.DocumentDB/locations/operationsStatus", + "Microsoft.DocumentDB/locations/operationResults", + "Microsoft.DocumentDB/locations", + "Microsoft.DocumentDB/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.DocumentDB/locations/restorableDatabaseAccounts", + "Microsoft.DocumentDB/restorableDatabaseAccounts", + "Microsoft.DocumentDB/cassandraClusters", + "Microsoft.DocumentDB/databaseAccounts/encryptionScopes", + "Microsoft.DocumentDB/mongoClusters", + "Microsoft.DocumentDB/locations/mongoClusterOperationResults", + "Microsoft.DocumentDB/locations/mongoClusterAzureAsyncOperation", + "Microsoft.DocumentDB/locations/checkMongoClusterNameAvailability", + "Microsoft.DocumentDB/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.DocumentDB/throughputPools", + "Microsoft.DocumentDB/throughputPools/throughputPoolAccounts", + "Microsoft.Maintenance/maintenanceConfigurations", + "Microsoft.Maintenance/updates", + "Microsoft.Maintenance/configurationAssignments", + "Microsoft.Maintenance/applyUpdates", + "Microsoft.Maintenance/publicMaintenanceConfigurations", + "Microsoft.Maintenance/operations", + "Microsoft.Sql/operations", + "Microsoft.Sql/locations", + "Microsoft.Sql/locations/capabilities", + "Microsoft.Sql/locations/databaseAzureAsyncOperation", + "Microsoft.Sql/locations/databaseOperationResults", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateAzureAsyncOperation", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateOperationResults", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevertAzureAsyncOperation", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevertOperationResults", + "Microsoft.Sql/locations/serverKeyAzureAsyncOperation", + "Microsoft.Sql/locations/serverKeyOperationResults", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/locations/encryptionProtectorOperationResults", + "Microsoft.Sql/locations/encryptionProtectorAzureAsyncOperation", + "Microsoft.Sql/locations/externalPolicyBasedAuthorizationsAzureAsycOperation", + "Microsoft.Sql/locations/externalPolicyBasedAuthorizationsOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusAzureAsyncOperation", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusMIOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusMIAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceKeyAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceKeyOperationResults", + "Microsoft.Sql/locations/managedInstanceEncryptionProtectorOperationResults", + "Microsoft.Sql/locations/managedInstanceEncryptionProtectorAzureAsyncOperation", + "Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation", + "Microsoft.Sql/locations/transparentDataEncryptionOperationResults", + "Microsoft.Sql/locations/managedtransparentDataEncryptionAzureAsyncOperation", + "Microsoft.Sql/locations/managedtransparentDataEncryptionOperationResults", + "Microsoft.Sql/servers/tdeCertificates", + "Microsoft.Sql/locations/tdeCertAzureAsyncOperation", + "Microsoft.Sql/locations/tdeCertOperationResults", + "Microsoft.Sql/locations/serverAzureAsyncOperation", + "Microsoft.Sql/locations/serverOperationResults", + "Microsoft.Sql/locations/usages", + "Microsoft.Sql/checkNameAvailability", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/serviceObjectives", + "Microsoft.Sql/servers/communicationLinks", + "Microsoft.Sql/servers/administrators", + "Microsoft.Sql/servers/administratorOperationResults", + "Microsoft.Sql/locations/serverAdministratorAzureAsyncOperation", + "Microsoft.Sql/locations/serverAdministratorOperationResults", + "Microsoft.Sql/servers/restorableDroppedDatabases", + "Microsoft.Sql/servers/recoverableDatabases", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/import", + "Microsoft.Sql/servers/importExportOperationResults", + "Microsoft.Sql/servers/operationResults", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "Microsoft.Sql/servers/databaseSecurityPolicies", + "Microsoft.Sql/servers/automaticTuning", + "Microsoft.Sql/servers/databases/automaticTuning", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation", + "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults", + "Microsoft.Sql/servers/recommendedElasticPools", + "Microsoft.Sql/servers/databases/dataMaskingPolicies", + "Microsoft.Sql/servers/databases/dataMaskingPolicies/rules", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/locations/auditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/auditingSettingsOperationResults", + "Microsoft.Sql/locations/extendedAuditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/extendedAuditingSettingsOperationResults", + "Microsoft.Sql/locations/devOpsAuditingSettingsOperationResults", + "Microsoft.Sql/locations/devOpsAuditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/elasticPoolAzureAsyncOperation", + "Microsoft.Sql/locations/elasticPoolOperationResults", + "Microsoft.Sql/servers/elasticpools", + "Microsoft.Sql/servers/jobAccounts", + "Microsoft.Sql/servers/jobAgents", + "Microsoft.Sql/locations/jobAgentOperationResults", + "Microsoft.Sql/locations/jobAgentAzureAsyncOperation", + "Microsoft.Sql/servers/jobAgents/privateEndpoints", + "Microsoft.Sql/locations/jobAgentPrivateEndpointOperationResults", + "Microsoft.Sql/locations/jobAgentPrivateEndpointAzureAsyncOperation", + "Microsoft.Sql/servers/jobAgents/jobs", + "Microsoft.Sql/servers/jobAgents/jobs/steps", + "Microsoft.Sql/servers/jobAgents/jobs/executions", + "Microsoft.Sql/servers/disasterRecoveryConfiguration", + "Microsoft.Sql/servers/dnsAliases", + "Microsoft.Sql/locations/dnsAliasAsyncOperation", + "Microsoft.Sql/locations/dnsAliasOperationResults", + "Microsoft.Sql/servers/failoverGroups", + "Microsoft.Sql/locations/failoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/failoverGroupOperationResults", + "Microsoft.Sql/locations/firewallRulesOperationResults", + "Microsoft.Sql/locations/firewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/ipv6FirewallRulesOperationResults", + "Microsoft.Sql/locations/ipv6FirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Sql/servers/virtualNetworkRules", + "Microsoft.Sql/locations/virtualNetworkRulesOperationResults", + "Microsoft.Sql/locations/virtualNetworkRulesAzureAsyncOperation", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnetsOperationResults", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnetsAzureAsyncOperation", + "Microsoft.Sql/locations/databaseRestoreAzureAsyncOperation", + "Microsoft.Sql/servers/usages", + "Microsoft.Sql/servers/databases/metricDefinitions", + "Microsoft.Sql/servers/databases/metrics", + "Microsoft.Sql/servers/aggregatedDatabaseMetrics", + "Microsoft.Sql/servers/elasticpools/metrics", + "Microsoft.Sql/servers/elasticpools/metricdefinitions", + "Microsoft.Sql/servers/databases/topQueries", + "Microsoft.Sql/servers/databases/topQueries/queryText", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/elasticPools/advisors", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/extensions", + "Microsoft.Sql/servers/elasticPoolEstimates", + "Microsoft.Sql/servers/databases/auditRecords", + "Microsoft.Sql/servers/databases/VulnerabilityAssessmentScans", + "Microsoft.Sql/servers/databases/workloadGroups", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments", + "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments", + "Microsoft.Sql/managedInstances/vulnerabilityAssessments", + "Microsoft.Sql/servers/databases/VulnerabilityAssessmentSettings", + "Microsoft.Sql/servers/databases/VulnerabilityAssessment", + "Microsoft.Sql/locations/vulnerabilityAssessmentScanAzureAsyncOperation", + "Microsoft.Sql/locations/vulnerabilityAssessmentScanOperationResults", + "Microsoft.Sql/servers/databases/sqlvulnerabilityassessments", + "Microsoft.Sql/servers/sqlvulnerabilityassessments", + "Microsoft.Sql/locations/sqlVulnerabilityAssessmentAzureAsyncOperation", + "Microsoft.Sql/locations/sqlVulnerabilityAssessmentOperationResults", + "Microsoft.Sql/servers/databases/recommendedSensitivityLabels", + "Microsoft.Sql/servers/databases/syncGroups", + "Microsoft.Sql/servers/databases/syncGroups/syncMembers", + "Microsoft.Sql/servers/syncAgents", + "Microsoft.Sql/instancePools", + "Microsoft.Sql/locations/importExportOperationResults", + "Microsoft.Sql/locations/importExportAzureAsyncOperation", + "Microsoft.Sql/locations/instancePoolOperationResults", + "Microsoft.Sql/locations/instancePoolAzureAsyncOperation", + "Microsoft.Sql/managedInstances", + "Microsoft.Sql/managedInstances/administrators", + "Microsoft.Sql/managedInstances/databases", + "Microsoft.Sql/managedInstances/recoverableDatabases", + "Microsoft.Sql/managedInstances/metrics", + "Microsoft.Sql/managedInstances/metricDefinitions", + "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/managedInstances/sqlAgent", + "Microsoft.Sql/managedInstances/startStopSchedules", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionManagedInstances", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackups", + "Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseOperationResults", + "Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseRestoreOperationResults", + "Microsoft.Sql/locations/managedDatabaseCompleteRestoreAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseCompleteRestoreOperationResults", + "Microsoft.Sql/locations/managedServerSecurityAlertPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/stopManagedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/stopManagedInstanceOperationResults", + "Microsoft.Sql/locations/startManagedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/startManagedInstanceOperationResults", + "Microsoft.Sql/managedInstances/tdeCertificates", + "Microsoft.Sql/locations/managedInstanceTdeCertAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceTdeCertOperationResults", + "Microsoft.Sql/locations/managedServerSecurityAlertPoliciesOperationResults", + "Microsoft.Sql/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/securityAlertPoliciesOperationResults", + "Microsoft.Sql/locations/advancedThreatProtectionAzureAsyncOperation", + "Microsoft.Sql/locations/advancedThreatProtectionOperationResults", + "Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionOperationResults", + "Microsoft.Sql/managedInstances/dnsAliases", + "Microsoft.Sql/locations/managedDnsAliasAsyncOperation", + "Microsoft.Sql/locations/managedDnsAliasOperationResults", + "Microsoft.Sql/virtualClusters", + "Microsoft.Sql/locations/virtualClusterAzureAsyncOperation", + "Microsoft.Sql/locations/virtualClusterOperationResults", + "Microsoft.Sql/locations/updateManagedInstanceDnsServersAzureAsyncOperation", + "Microsoft.Sql/locations/updateManagedInstanceDnsServersOperationResults", + "Microsoft.Sql/locations/managedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceOperationResults", + "Microsoft.Sql/locations/distributedAvailabilityGroupsOperationResults", + "Microsoft.Sql/locations/distributedAvailabilityGroupsAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustCertificatesOperationResults", + "Microsoft.Sql/locations/serverTrustCertificatesAzureAsyncOperation", + "Microsoft.Sql/locations/administratorAzureAsyncOperation", + "Microsoft.Sql/locations/administratorOperationResults", + "Microsoft.Sql/locations/syncGroupOperationResults", + "Microsoft.Sql/locations/syncGroupAzureAsyncOperation", + "Microsoft.Sql/locations/syncMemberOperationResults", + "Microsoft.Sql/locations/syncAgentOperationResults", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierOperationResults", + "Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/managedInstances/databases/ledgerDigestUploads", + "Microsoft.Sql/locations/managedLedgerDigestUploadsOperationResults", + "Microsoft.Sql/locations/managedLedgerDigestUploadsAzureAsyncOperation", + "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation", + "Microsoft.Sql/servers/failoverGroups/tryPlannedBeforeForcedFailover", + "Microsoft.DBforMySQL/operations", + "Microsoft.DBforMySQL/servers", + "Microsoft.DBforMySQL/flexibleServers", + "Microsoft.DBforMySQL/servers/recoverableServers", + "Microsoft.DBforMySQL/servers/virtualNetworkRules", + "Microsoft.DBforMySQL/locations/capabilities", + "Microsoft.DBforMySQL/locations/capabilitySets", + "Microsoft.DBforMySQL/locations/checkNameAvailability", + "Microsoft.DBforMySQL/checkNameAvailability", + "Microsoft.DBforMySQL/assessForMigration", + "Microsoft.DBforMySQL/getPrivateDnsZoneSuffix", + "Microsoft.DBforMySQL/locations/checkVirtualNetworkSubnetUsage", + "Microsoft.DBforMySQL/locations/listMigrations", + "Microsoft.DBforMySQL/locations/updateMigration", + "Microsoft.DBforMySQL/locations", + "Microsoft.DBforMySQL/locations/operationResults", + "Microsoft.DBforMySQL/locations/operationProgress", + "Microsoft.DBforMySQL/locations/azureAsyncOperation", + "Microsoft.DBforMySQL/locations/administratorOperationResults", + "Microsoft.DBforMySQL/locations/administratorAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/performanceTiers", + "Microsoft.DBforMySQL/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforMySQL/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforMySQL/servers/topQueryStatistics", + "Microsoft.DBforMySQL/servers/queryTexts", + "Microsoft.DBforMySQL/servers/waitStatistics", + "Microsoft.DBforMySQL/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforMySQL/servers/advisors", + "Microsoft.DBforMySQL/servers/privateLinkResources", + "Microsoft.DBforMySQL/servers/privateEndpointConnections", + "Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies", + "Microsoft.DBforMySQL/servers/keys", + "Microsoft.DBforMySQL/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/serverKeyOperationResults", + "Microsoft.DBforMySQL/servers/upgrade", + "Microsoft.CognitiveServices/accounts", + "Microsoft.CognitiveServices/operations", + "Microsoft.CognitiveServices/locations/operationResults", + "Microsoft.CognitiveServices/locations", + "Microsoft.CognitiveServices/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.CognitiveServices/locations/checkSkuAvailability", + "Microsoft.CognitiveServices/checkDomainAvailability", + "Microsoft.CognitiveServices/accounts/privateLinkResources", + "Microsoft.CognitiveServices/accounts/privateEndpointConnections", + "Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies", + "Microsoft.CognitiveServices/deletedAccounts", + "Microsoft.CognitiveServices/locations/resourceGroups", + "Microsoft.CognitiveServices/locations/resourceGroups/deletedAccounts", + "Microsoft.CognitiveServices/locations/commitmentTiers", + "Microsoft.CognitiveServices/locations/models", + "Microsoft.CognitiveServices/locations/usages", + "Microsoft.CognitiveServices/locations/raiContentFilters", + "Microsoft.CognitiveServices/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.CognitiveServices/accounts/networkSecurityPerimeterAssociationProxies", + "Microsoft.CognitiveServices/accounts/encryptionScopes", + "Microsoft.CognitiveServices/commitmentPlans", + "Microsoft.CognitiveServices/attestations", + "Microsoft.CognitiveServices/attestationDefinitions", + "Microsoft.Media/mediaservices", + "Microsoft.Media/mediaservices/assets", + "Microsoft.Media/mediaservices/assets/tracks", + "Microsoft.Media/mediaservices/assets/tracks/operationstatuses", + "Microsoft.Media/mediaservices/assets/tracks/operationResults", + "Microsoft.Media/mediaservices/contentKeyPolicies", + "Microsoft.Media/mediaservices/streamingLocators", + "Microsoft.Media/mediaservices/streamingPolicies", + "Microsoft.Media/mediaservices/eventGridFilters", + "Microsoft.Media/mediaservices/transforms", + "Microsoft.Media/mediaservices/transforms/jobs", + "Microsoft.Media/mediaservices/streamingEndpoints", + "Microsoft.Media/mediaservices/liveEvents", + "Microsoft.Media/mediaservices/liveEvents/liveOutputs", + "Microsoft.Media/mediaservices/streamingEndpointOperations", + "Microsoft.Media/mediaservices/liveEventOperations", + "Microsoft.Media/mediaservices/liveOutputOperations", + "Microsoft.Media/mediaservices/streamingendpoints/operationlocations", + "Microsoft.Media/mediaservices/liveevents/operationlocations", + "Microsoft.Media/mediaservices/liveevents/liveoutputs/operationlocations", + "Microsoft.Media/mediaservices/privateEndpointConnectionProxies", + "Microsoft.Media/mediaservices/privateEndpointConnections", + "Microsoft.Media/mediaservices/privateEndpointConnectionOperations", + "Microsoft.Media/locations/mediaServicesOperationStatuses", + "Microsoft.Media/locations/mediaServicesOperationResults", + "Microsoft.Media/mediaservices/assets/assetFilters", + "Microsoft.Media/mediaservices/accountFilters", + "Microsoft.Media/operations", + "Microsoft.Media/checknameavailability", + "Microsoft.Media/locations", + "Microsoft.Media/locations/checkNameAvailability", + "Microsoft.Web/publishingUsers", + "Microsoft.Web/ishostnameavailable", + "Microsoft.Web/validate", + "Microsoft.Web/isusernameavailable", + "Microsoft.Web/generateGithubAccessTokenForAppserviceCLI", + "Microsoft.Web/sourceControls", + "Microsoft.Web/availableStacks", + "Microsoft.Web/webAppStacks", + "Microsoft.Web/locations/webAppStacks", + "Microsoft.Web/functionAppStacks", + "Microsoft.Web/locations/functionAppStacks", + "Microsoft.Web/staticSites", + "Microsoft.Web/locations/previewStaticSiteWorkflowFile", + "Microsoft.Web/staticSites/userProvidedFunctionApps", + "Microsoft.Web/staticSites/linkedBackends", + "Microsoft.Web/staticSites/builds/linkedBackends", + "Microsoft.Web/staticSites/databaseConnections", + "Microsoft.Web/staticSites/builds/databaseConnections", + "Microsoft.Web/staticSites/builds", + "Microsoft.Web/staticSites/builds/userProvidedFunctionApps", + "Microsoft.Web/listSitesAssignedToHostName", + "Microsoft.Web/locations/getNetworkPolicies", + "Microsoft.Web/locations/operations", + "Microsoft.Web/locations/operationResults", + "Microsoft.Web/sites/networkConfig", + "Microsoft.Web/sites/slots/networkConfig", + "Microsoft.Web/sites/hostNameBindings", + "Microsoft.Web/sites/slots/hostNameBindings", + "Microsoft.Web/operations", + "Microsoft.Web/certificates", + "Microsoft.Web/serverFarms", + "Microsoft.Web/sites", + "Microsoft.Web/sites/slots", + "Microsoft.Web/runtimes", + "Microsoft.Web/recommendations", + "Microsoft.Web/resourceHealthMetadata", + "Microsoft.Web/aseregions", + "Microsoft.Web/georegions", + "Microsoft.Web/sites/premieraddons", + "Microsoft.Web/hostingEnvironments", + "Microsoft.Web/hostingEnvironments/multiRolePools", + "Microsoft.Web/hostingEnvironments/workerPools", + "Microsoft.Web/kubeEnvironments", + "Microsoft.Web/deploymentLocations", + "Microsoft.Web/deletedSites", + "Microsoft.Web/locations/deletedSites", + "Microsoft.Web/ishostingenvironmentnameavailable", + "Microsoft.Web/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Web/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.Web/connections", + "Microsoft.Web/customApis", + "Microsoft.Web/locations", + "Microsoft.Web/locations/listWsdlInterfaces", + "Microsoft.Web/locations/extractApiDefinitionFromWsdl", + "Microsoft.Web/locations/managedApis", + "Microsoft.Web/locations/runtimes", + "Microsoft.Web/locations/apiOperations", + "Microsoft.Web/connectionGateways", + "Microsoft.Web/locations/connectionGatewayInstallations", + "Microsoft.Web/checkNameAvailability", + "Microsoft.Web/billingMeters", + "Microsoft.Web/verifyHostingEnvironmentVnet", + "Microsoft.Web/serverFarms/eventGridFilters", + "Microsoft.Web/sites/eventGridFilters", + "Microsoft.Web/sites/slots/eventGridFilters", + "Microsoft.Web/hostingEnvironments/eventGridFilters", + "Microsoft.Web/serverFarms/firstPartyApps", + "Microsoft.Web/serverFarms/firstPartyApps/keyVaultSettings", + "Microsoft.Web/containerApps", + "Microsoft.Web/customhostnameSites", + "Microsoft.Web/locations/usages", + "Microsoft.Search/searchServices", + "Microsoft.Search/checkServiceNameAvailability", + "Microsoft.Search/checkNameAvailability", + "Microsoft.Search/resourceHealthMetadata", + "Microsoft.Search/operations", + "Microsoft.Search/locations", + "Microsoft.Search/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Search/locations/usages", + "Microsoft.Search/locations/operationResults", + "Microsoft.DataLakeStore/accounts", + "Microsoft.DataLakeStore/accounts/firewallRules", + "Microsoft.DataLakeStore/accounts/eventGridFilters", + "Microsoft.DataLakeStore/locations", + "Microsoft.DataLakeStore/locations/operationresults", + "Microsoft.DataLakeStore/locations/checkNameAvailability", + "Microsoft.DataLakeStore/locations/capability", + "Microsoft.DataLakeStore/locations/usages", + "Microsoft.DataLakeStore/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.DataLakeStore/operations", + "Microsoft.DataMigration/locations", + "Microsoft.DataMigration/services", + "Microsoft.DataMigration/services/projects", + "Microsoft.DataMigration/locations/operationResults", + "Microsoft.DataMigration/locations/operationStatuses", + "Microsoft.DataMigration/locations/checkNameAvailability", + "Microsoft.DataMigration/operations", + "Microsoft.DataMigration/migrationServices", + "Microsoft.DataMigration/SqlMigrationServices", + "Microsoft.DataMigration/DatabaseMigrations", + "Microsoft.DataMigration/Locations/OperationTypes", + "Microsoft.DataMigration/locations/migrationServiceOperationResults", + "Microsoft.DataMigration/Locations/sqlMigrationServiceOperationResults", + "Microsoft.Kusto/clusters", + "Microsoft.Kusto/clusters/databases", + "Microsoft.Kusto/clusters/attacheddatabaseconfigurations", + "Microsoft.Kusto/clusters/principalassignments", + "Microsoft.Kusto/clusters/databases/eventhubconnections", + "Microsoft.Kusto/clusters/databases/dataconnections", + "Microsoft.Kusto/clusters/databases/principalassignments", + "Microsoft.Kusto/locations/operationResults", + "Microsoft.Kusto/locations", + "Microsoft.Kusto/locations/checkNameAvailability", + "Microsoft.Kusto/locations/skus", + "Microsoft.Kusto/operations", + "Microsoft.Kusto/clusters/databases/scripts", + "Microsoft.Kusto/clusters/managedPrivateEndpoints", + "Microsoft.Kusto/clusters/sandboxCustomImages", + "Microsoft.ApiManagement/service", + "Microsoft.ApiManagement/deletedServices", + "Microsoft.ApiManagement/locations", + "Microsoft.ApiManagement/locations/deletedServices", + "Microsoft.ApiManagement/validateServiceName", + "Microsoft.ApiManagement/checkServiceNameAvailability", + "Microsoft.ApiManagement/checkNameAvailability", + "Microsoft.ApiManagement/reportFeedback", + "Microsoft.ApiManagement/checkFeedbackRequired", + "Microsoft.ApiManagement/operations", + "Microsoft.ApiManagement/getDomainOwnershipIdentifier", + "Microsoft.ApiManagement/service/eventGridFilters", + "Microsoft.MixedReality/locations", + "Microsoft.MixedReality/locations/checkNameAvailability", + "Microsoft.MixedReality/operations", + "Microsoft.MixedReality/spatialAnchorsAccounts", + "Microsoft.MixedReality/remoteRenderingAccounts", + "Microsoft.MixedReality/objectAnchorsAccounts", + "Microsoft.Maps/accounts", + "Microsoft.Maps/accounts/creators", + "Microsoft.Maps/accounts/eventGridFilters", + "Microsoft.Maps/operations", + "Microsoft.AVS/locations", + "Microsoft.AVS/locations/checkQuotaAvailability", + "Microsoft.AVS/locations/checkTrialAvailability", + "Microsoft.AVS/locations/usages", + "Microsoft.AVS/operations", + "Microsoft.AVS/privateClouds", + "Microsoft.AVS/privateClouds/addons", + "Microsoft.AVS/privateClouds/authorizations", + "Microsoft.AVS/privateClouds/cloudLinks", + "Microsoft.AVS/privateClouds/clusters", + "Microsoft.AVS/privateClouds/clusters/datastores", + "Microsoft.AVS/privateClouds/clusters/placementPolicies", + "Microsoft.AVS/privateClouds/clusters/virtualMachines", + "Microsoft.AVS/privateClouds/eventGridFilters", + "Microsoft.AVS/privateClouds/globalReachConnections", + "Microsoft.AVS/privateClouds/hcxEnterpriseSites", + "Microsoft.AVS/privateClouds/scriptExecutions", + "Microsoft.AVS/privateClouds/scriptPackages", + "Microsoft.AVS/privateClouds/scriptPackages/scriptCmdlets", + "Microsoft.AVS/privateClouds/workloadNetworks", + "Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations", + "Microsoft.AVS/privateClouds/workloadNetworks/dnsServices", + "Microsoft.AVS/privateClouds/workloadNetworks/dnsZones", + "Microsoft.AVS/privateClouds/workloadNetworks/gateways", + "Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles", + "Microsoft.AVS/privateClouds/workloadNetworks/publicIPs", + "Microsoft.AVS/privateClouds/workloadNetworks/segments", + "Microsoft.AVS/privateClouds/workloadNetworks/virtualMachines", + "Microsoft.AVS/privateClouds/workloadNetworks/vmGroups", + "Microsoft.Blueprint/blueprints", + "Microsoft.Blueprint/blueprints/artifacts", + "Microsoft.Blueprint/blueprints/versions", + "Microsoft.Blueprint/blueprints/versions/artifacts", + "Microsoft.Blueprint/blueprintAssignments", + "Microsoft.Blueprint/blueprintAssignments/operations", + "Microsoft.Blueprint/blueprintAssignments/assignmentOperations", + "Microsoft.Blueprint/operations", + "Microsoft.HealthcareApis/services", + "Microsoft.HealthcareApis/services/privateEndpointConnectionProxies", + "Microsoft.HealthcareApis/services/privateEndpointConnections", + "Microsoft.HealthcareApis/services/privateLinkResources", + "Microsoft.HealthcareApis/services/iomtconnectors", + "Microsoft.HealthcareApis/services/iomtconnectors/connections", + "Microsoft.HealthcareApis/services/iomtconnectors/mappings", + "Microsoft.HealthcareApis/workspaces", + "Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies", + "Microsoft.HealthcareApis/workspaces/privateEndpointConnections", + "Microsoft.HealthcareApis/workspaces/privateLinkResources", + "Microsoft.HealthcareApis/workspaces/dicomservices", + "Microsoft.HealthcareApis/workspaces/iotconnectors", + "Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations", + "Microsoft.HealthcareApis/workspaces/fhirservices", + "Microsoft.HealthcareApis/workspaces/eventGridFilters", + "Microsoft.HealthcareApis/locations", + "Microsoft.HealthcareApis/locations/operationresults", + "Microsoft.HealthcareApis/checkNameAvailability", + "Microsoft.HealthcareApis/operations", + "Microsoft.HealthcareApis/validateMedtechMappings", + "Microsoft.Advisor/suppressions", + "Microsoft.Advisor/configurations", + "Microsoft.Advisor/metadata", + "Microsoft.Advisor/recommendations", + "Microsoft.Advisor/generateRecommendations", + "Microsoft.Advisor/operations", + "Microsoft.Advisor/advisorScore", + "Microsoft.Advisor/predict", + "Microsoft.MarketplaceNotifications/reviewsnotifications", + "Microsoft.MarketplaceNotifications/operations", + "Microsoft.ServiceLinker/locations", + "Microsoft.ServiceLinker/locations/operationStatuses", + "Microsoft.ServiceLinker/operations", + "Microsoft.ServiceLinker/linkers", + "Microsoft.ServiceLinker/dryruns", + "Microsoft.ServiceLinker/locations/connectors", + "Microsoft.ServiceLinker/locations/dryruns", + "Microsoft.ServiceLinker/configurationNames", + "Microsoft.ServiceLinker/daprConfigurations", + "Microsoft.DataProtection/BackupVaults", + "Microsoft.DataProtection/ResourceGuards", + "Microsoft.DataProtection/operations", + "Microsoft.DataProtection/locations", + "Microsoft.DataProtection/locations/operationResults", + "Microsoft.DataProtection/locations/operationStatus", + "Microsoft.DataProtection/locations/checkNameAvailability", + "Microsoft.DataProtection/locations/checkFeatureSupport", + "Microsoft.DataProtection/backupInstances", + "Microsoft.DataProtection/locations/fetchSecondaryRecoveryPoints", + "Microsoft.DataProtection/locations/fetchCrossRegionRestoreJobs", + "Microsoft.DataProtection/locations/fetchCrossRegionRestoreJob", + "Microsoft.DataProtection/locations/validateCrossRegionRestore", + "Microsoft.DataProtection/locations/crossRegionRestore", + "Microsoft.Consumption/Forecasts", + "Microsoft.Consumption/AggregatedCost", + "Microsoft.Consumption/tenants", + "Microsoft.Consumption/ReservationRecommendations", + "Microsoft.Consumption/ReservationRecommendationDetails", + "Microsoft.Consumption/ReservationSummaries", + "Microsoft.Consumption/ReservationTransactions", + "Microsoft.Consumption/Balances", + "Microsoft.Consumption/Marketplaces", + "Microsoft.Consumption/Pricesheets", + "Microsoft.Consumption/ReservationDetails", + "Microsoft.Consumption/Budgets", + "Microsoft.Consumption/CostTags", + "Microsoft.Consumption/Tags", + "Microsoft.Consumption/Terms", + "Microsoft.Consumption/UsageDetails", + "Microsoft.Consumption/Charges", + "Microsoft.Consumption/credits", + "Microsoft.Consumption/events", + "Microsoft.Consumption/lots", + "Microsoft.Consumption/products", + "Microsoft.Consumption/OperationStatus", + "Microsoft.Consumption/OperationResults", + "Microsoft.Consumption/Operations", + "Microsoft.GuestConfiguration/guestConfigurationAssignments", + "Microsoft.GuestConfiguration/operations", + "Astronomer.Astro/locations", + "Astronomer.Astro/operations", + "Astronomer.Astro/organizations", + "Astronomer.Astro/locations/operationStatuses", + "Dynatrace.Observability/operations", + "Dynatrace.Observability/registeredSubscriptions", + "Dynatrace.Observability/locations", + "Dynatrace.Observability/locations/operationStatuses", + "Dynatrace.Observability/monitors", + "Dynatrace.Observability/monitors/tagRules", + "Dynatrace.Observability/monitors/singleSignOnConfigurations", + "Dynatrace.Observability/checkNameAvailability", + "Dynatrace.Observability/getMarketplaceSaaSResourceDetails", + "GitHub.Network/Operations", + "GitHub.Network/networkSettings", + "GitHub.Network/registeredSubscriptions", + "Microsoft.AAD/DomainServices", + "Microsoft.AAD/DomainServices/oucontainer", + "Microsoft.AAD/locations", + "Microsoft.AAD/locations/operationresults", + "Microsoft.AAD/operations", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/operations", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticSettings", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticSettingsCategories", + "microsoft.aadiam/azureADMetrics", + "microsoft.aadiam/privateLinkForAzureAD", + "microsoft.aadiam/tenants", + "microsoft.aadiam/operations", + "microsoft.aadiam/diagnosticSettings", + "microsoft.aadiam/diagnosticSettingsCategories", + "Microsoft.Addons/supportProviders", + "Microsoft.Addons/operations", + "Microsoft.Addons/operationResults", + "Microsoft.ADHybridHealthService/services", + "Microsoft.ADHybridHealthService/addsservices", + "Microsoft.ADHybridHealthService/configuration", + "Microsoft.ADHybridHealthService/operations", + "Microsoft.ADHybridHealthService/agents", + "Microsoft.ADHybridHealthService/aadsupportcases", + "Microsoft.ADHybridHealthService/reports", + "Microsoft.ADHybridHealthService/servicehealthmetrics", + "Microsoft.ADHybridHealthService/logs", + "Microsoft.ADHybridHealthService/anonymousapiusers", + "Microsoft.AgFoodPlatform/operations", + "Microsoft.AgFoodPlatform/farmBeatsExtensionDefinitions", + "Microsoft.AgFoodPlatform/farmBeatsSolutionDefinitions", + "Microsoft.AgFoodPlatform/checkNameAvailability", + "Microsoft.AgFoodPlatform/locations", + "Microsoft.AksHybrid/locations", + "Microsoft.AnalysisServices/servers", + "Microsoft.AnalysisServices/locations", + "Microsoft.AnalysisServices/locations/checkNameAvailability", + "Microsoft.AnalysisServices/locations/operationresults", + "Microsoft.AnalysisServices/locations/operationstatuses", + "Microsoft.AnalysisServices/operations", + "Microsoft.AnyBuild/Locations", + "Microsoft.AnyBuild/Locations/OperationStatuses", + "Microsoft.AnyBuild/clusters", + "Microsoft.AnyBuild/Operations", + "Microsoft.ApiCenter/services", + "Microsoft.ApiCenter/operations", + "Microsoft.ApiCenter/services/eventGridFilters", + "Microsoft.ApiSecurity/Locations", + "Microsoft.ApiSecurity/Locations/OperationStatuses", + "Microsoft.ApiSecurity/Operations", + "Microsoft.ApiSecurity/apiCollections", + "Microsoft.ApiSecurity/apiCollections/apiCollectionDetails", + "Microsoft.ApiSecurity/apiCollectionsMeta", + "Microsoft.ApiSecurity/apiCollectionsMeta/apiCollectionMetaDetails", + "Microsoft.App/managedEnvironments", + "Microsoft.App/managedEnvironments/certificates", + "Microsoft.App/managedEnvironments/managedCertificates", + "Microsoft.App/containerApps", + "Microsoft.App/jobs", + "Microsoft.App/locations", + "Microsoft.App/locations/managedEnvironmentOperationResults", + "Microsoft.App/locations/managedEnvironmentOperationStatuses", + "Microsoft.App/locations/containerappOperationResults", + "Microsoft.App/locations/containerappOperationStatuses", + "Microsoft.App/locations/containerappsjobOperationResults", + "Microsoft.App/locations/containerappsjobOperationStatuses", + "Microsoft.App/locations/sourceControlOperationResults", + "Microsoft.App/locations/sourceControlOperationStatuses", + "Microsoft.App/locations/usages", + "Microsoft.App/operations", + "Microsoft.App/connectedEnvironments", + "Microsoft.App/connectedEnvironments/certificates", + "Microsoft.App/locations/connectedEnvironmentOperationResults", + "Microsoft.App/locations/connectedEnvironmentOperationStatuses", + "Microsoft.App/locations/managedCertificateOperationStatuses", + "Microsoft.App/locations/billingMeters", + "Microsoft.App/locations/availableManagedEnvironmentsWorkloadProfileTypes", + "Microsoft.App/getCustomDomainVerificationId", + "Microsoft.App/builders", + "Microsoft.App/builders/builds", + "Microsoft.App/locations/OperationResults", + "Microsoft.App/locations/OperationStatuses", + "Microsoft.App/managedEnvironments/dotNetComponents", + "Microsoft.App/managedEnvironments/javaComponents", + "Microsoft.App/managedEnvironments/daprComponents", + "Microsoft.AppAssessment/Locations", + "Microsoft.AppAssessment/operations", + "Microsoft.AppAssessment/Locations/OperationStatuses", + "Microsoft.AppAssessment/Locations/osVersions", + "Microsoft.AppComplianceAutomation/operations", + "Microsoft.AppComplianceAutomation/locations", + "Microsoft.AppComplianceAutomation/locations/operationStatuses", + "Microsoft.AppComplianceAutomation/reports", + "Microsoft.AppComplianceAutomation/reports/snapshots", + "Microsoft.AppComplianceAutomation/onboard", + "Microsoft.AppComplianceAutomation/triggerEvaluation", + "Microsoft.AppComplianceAutomation/reports/webhooks", + "Microsoft.AppComplianceAutomation/reports/evidences", + "Microsoft.AppComplianceAutomation/listInUseStorageAccounts", + "Microsoft.AppComplianceAutomation/checkNameAvailability", + "Microsoft.AppComplianceAutomation/getCollectionCount", + "Microsoft.AppComplianceAutomation/getOverviewStatus", + "Microsoft.AppComplianceAutomation/reports/scopingConfigurations", + "Microsoft.AppConfiguration/configurationStores", + "Microsoft.AppConfiguration/configurationStores/keyValues", + "Microsoft.AppConfiguration/configurationStores/eventGridFilters", + "Microsoft.AppConfiguration/checkNameAvailability", + "Microsoft.AppConfiguration/locations/checkNameAvailability", + "Microsoft.AppConfiguration/locations", + "Microsoft.AppConfiguration/locations/operationsStatus", + "Microsoft.AppConfiguration/operations", + "Microsoft.AppConfiguration/deletedConfigurationStores", + "Microsoft.AppConfiguration/locations/deletedConfigurationStores", + "Microsoft.AppConfiguration/configurationStores/replicas", + "Microsoft.AppConfiguration/configurationStores/snapshots", + "Microsoft.AppConfiguration/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.AppSecurity/operationStatuses", + "Microsoft.ArcNetworking/locations", + "Microsoft.ArcNetworking/locations/operationStatuses", + "Microsoft.ArcNetworking/arcNwLoadBalancers", + "Microsoft.Attestation/attestationProviders", + "Microsoft.Attestation/defaultProviders", + "Microsoft.Attestation/locations", + "Microsoft.Attestation/locations/defaultProvider", + "Microsoft.Attestation/operations", + "Microsoft.Authorization/roleAssignmentScheduleRequests", + "Microsoft.Authorization/roleEligibilityScheduleRequests", + "Microsoft.Authorization/roleAssignmentSchedules", + "Microsoft.Authorization/roleEligibilitySchedules", + "Microsoft.Authorization/roleAssignmentScheduleInstances", + "Microsoft.Authorization/roleEligibilityScheduleInstances", + "Microsoft.Authorization/roleManagementPolicies", + "Microsoft.Authorization/roleManagementPolicyAssignments", + "Microsoft.Authorization/eligibleChildResources", + "Microsoft.Authorization/roleManagementAlerts", + "Microsoft.Authorization/roleManagementAlertConfigurations", + "Microsoft.Authorization/roleManagementAlertDefinitions", + "Microsoft.Authorization/roleManagementAlertOperations", + "Microsoft.Authorization/roleAssignments", + "Microsoft.Authorization/roleDefinitions", + "Microsoft.Authorization/classicAdministrators", + "Microsoft.Authorization/permissions", + "Microsoft.Authorization/denyAssignments", + "Microsoft.Authorization/locks", + "Microsoft.Authorization/operations", + "Microsoft.Authorization/policyDefinitions", + "Microsoft.Authorization/policyDefinitions/versions", + "Microsoft.Authorization/policySetDefinitions", + "Microsoft.Authorization/policySetDefinitions/versions", + "Microsoft.Authorization/policyAssignments", + "Microsoft.Authorization/policyExemptions", + "Microsoft.Authorization/listPolicyDefinitionVersions", + "Microsoft.Authorization/listPolicySetDefinitionVersions", + "Microsoft.Authorization/dataAliases", + "Microsoft.Authorization/dataPolicyManifests", + "Microsoft.Authorization/providerOperations", + "Microsoft.Authorization/elevateAccess", + "Microsoft.Authorization/checkAccess", + "Microsoft.Authorization/batchResourceCheckAccess", + "Microsoft.Authorization/findOrphanRoleAssignments", + "Microsoft.Authorization/roleAssignmentsUsageMetrics", + "Microsoft.Authorization/accessReviewScheduleDefinitions", + "Microsoft.Authorization/accessReviewScheduleSettings", + "Microsoft.Authorization/accessReviewHistoryDefinitions", + "Microsoft.Authorization/roleAssignmentApprovals", + "Microsoft.Authorization/privateLinkAssociations", + "Microsoft.Authorization/resourceManagementPrivateLinks", + "Microsoft.Authorization/EnablePrivateLinkNetworkAccess", + "Microsoft.Authorization/operationStatus", + "Microsoft.Authorization/diagnosticSettings", + "Microsoft.Authorization/diagnosticSettingsCategories", + "Microsoft.Automanage/configurationProfileAssignments", + "Microsoft.Automanage/configurationProfiles", + "Microsoft.Automanage/configurationProfiles/versions", + "Microsoft.Automanage/bestPractices", + "Microsoft.Automanage/bestPractices/versions", + "Microsoft.Automanage/operations", + "Microsoft.Automanage/servicePrincipals", + "Microsoft.AutonomousDevelopmentPlatform/operations", + "Microsoft.AutonomousDevelopmentPlatform/locations", + "Microsoft.AutonomousDevelopmentPlatform/locations/operationstatuses", + "Microsoft.AutonomousDevelopmentPlatform/checknameavailability", + "Microsoft.AutonomousDevelopmentPlatform/workspaces/eventgridfilters", + "Microsoft.AwsConnector/Locations", + "Microsoft.AwsConnector/Operations", + "Microsoft.AzureActiveDirectory/ciamDirectories", + "Microsoft.AzureActiveDirectory/guestUsages", + "Microsoft.AzureActiveDirectory/b2cDirectories", + "Microsoft.AzureActiveDirectory/checkNameAvailability", + "Microsoft.AzureActiveDirectory/operations", + "Microsoft.AzureActiveDirectory/b2ctenants", + "Microsoft.AzureActiveDirectory/operationStatuses", + "Microsoft.AzureArcData/Locations", + "Microsoft.AzureArcData/Locations/OperationStatuses", + "Microsoft.AzureArcData/DataControllers", + "Microsoft.AzureArcData/SqlManagedInstances", + "Microsoft.AzureArcData/PostgresInstances", + "Microsoft.AzureArcData/SqlServerInstances", + "Microsoft.AzureArcData/Operations", + "Microsoft.AzureArcData/DataControllers/ActiveDirectoryConnectors", + "Microsoft.AzureArcData/SqlServerInstances/Databases", + "Microsoft.AzureArcData/SqlManagedInstances/FailoverGroups", + "Microsoft.AzureArcData/SqlServerInstances/AvailabilityGroups", + "Microsoft.AzureFleet/locations", + "Microsoft.AzureLargeInstance/azureLargeInstances", + "Microsoft.AzureLargeInstance/azureLargeStorageInstances", + "Microsoft.AzureLargeInstance/locations", + "Microsoft.AzureLargeInstance/locations/operationsStatus", + "Microsoft.AzureLargeInstance/operations", + "Microsoft.AzurePercept/checkNameAvailability", + "Microsoft.AzurePercept/operations", + "Microsoft.AzurePlaywrightService/operations", + "Microsoft.AzurePlaywrightService/checkNameAvailability", + "Microsoft.AzurePlaywrightService/Locations", + "Microsoft.AzurePlaywrightService/Locations/OperationStatuses", + "Microsoft.AzurePlaywrightService/accounts", + "Microsoft.AzurePlaywrightService/registeredSubscriptions", + "Microsoft.AzurePlaywrightService/Locations/Quotas", + "Microsoft.AzureScan/scanningAccounts", + "Microsoft.AzureScan/locations", + "Microsoft.AzureScan/locations/OperationStatuses", + "Microsoft.AzureScan/Operations", + "Microsoft.AzureScan/checkNameAvailability", + "Microsoft.AzureSphere/catalogs", + "Microsoft.AzureSphere/catalogs/products", + "Microsoft.AzureSphere/catalogs/products/devicegroups", + "Microsoft.AzureSphere/locations", + "Microsoft.AzureSphere/catalogs/certificates", + "Microsoft.AzureSphere/catalogs/images", + "Microsoft.AzureSphere/operations", + "Microsoft.AzureSphere/locations/operationStatuses", + "Microsoft.AzureSphere/catalogs/products/devicegroups/devices", + "Microsoft.AzureSphere/catalogs/products/devicegroups/deployments", + "Microsoft.AzureStack/operations", + "Microsoft.AzureStack/registrations", + "Microsoft.AzureStack/registrations/products", + "Microsoft.AzureStack/registrations/customerSubscriptions", + "Microsoft.AzureStack/cloudManifestFiles", + "Microsoft.AzureStack/linkedSubscriptions", + "Microsoft.AzureStack/generateDeploymentLicense", + "Microsoft.AzureStackHCI/operations", + "Microsoft.AzureStackHCI/locations", + "Microsoft.AzureStackHCI/locations/operationstatuses", + "Microsoft.AzureStackHCI/galleryImages", + "Microsoft.AzureStackHCI/networkInterfaces", + "Microsoft.AzureStackHCI/virtualMachines", + "Microsoft.AzureStackHCI/virtualNetworks", + "Microsoft.AzureStackHCI/virtualHardDisks", + "Microsoft.AzureStackHCI/clusters", + "Microsoft.AzureStackHCI/clusters/arcSettings", + "Microsoft.AzureStackHCI/clusters/arcSettings/extensions", + "Microsoft.AzureStackHCI/virtualMachines/extensions", + "Microsoft.AzureStackHCI/virtualMachines/hybrididentitymetadata", + "Microsoft.AzureStackHCI/clusters/publishers", + "Microsoft.AzureStackHCI/clusters/offers", + "Microsoft.AzureStackHCI/clusters/publishers/offers", + "Microsoft.AzureStackHCI/clusters/publishers/offers/skus", + "Microsoft.AzureStackHCI/marketplaceGalleryImages", + "Microsoft.AzureStackHCI/storageContainers", + "Microsoft.AzureStackHCI/clusters/updates", + "Microsoft.AzureStackHCI/clusters/updates/updateRuns", + "Microsoft.AzureStackHCI/clusters/updateSummaries", + "Microsoft.AzureStackHCI/registeredSubscriptions", + "Microsoft.AzureStackHCI/virtualMachineInstances", + "Microsoft.AzureStackHCI/clusters/deploymentSettings", + "Microsoft.AzureStackHCI/edgeDevices", + "Microsoft.AzureStackHCI/logicalNetworks", + "Microsoft.AzureStackHCI/clusters/securitySettings", + "Microsoft.BackupSolutions/VMwareApplications", + "Microsoft.BackupSolutions/locations", + "Microsoft.BackupSolutions/locations/operationstatuses", + "Microsoft.BackupSolutions/operations", + "Microsoft.BareMetal/bareMetalConnections", + "Microsoft.BareMetal/operations", + "Microsoft.BareMetal/locations", + "Microsoft.BareMetal/locations/operationResults", + "Microsoft.BareMetal/utilization", + "Microsoft.BareMetalInfrastructure/bareMetalInstances", + "Microsoft.BareMetalInfrastructure/bareMetalStorageInstances", + "Microsoft.BareMetalInfrastructure/locations", + "Microsoft.BareMetalInfrastructure/locations/operationsStatus", + "Microsoft.BareMetalInfrastructure/operations", + "Microsoft.Batch/batchAccounts", + "Microsoft.Batch/batchAccounts/pools", + "Microsoft.Batch/batchAccounts/detectors", + "Microsoft.Batch/batchAccounts/certificates", + "Microsoft.Batch/batchAccounts/operationResults", + "Microsoft.Batch/batchAccounts/poolOperationResults", + "Microsoft.Batch/batchAccounts/certificateOperationResults", + "Microsoft.Batch/batchAccounts/privateEndpointConnectionProxyResults", + "Microsoft.Batch/batchAccounts/privateEndpointConnectionResults", + "Microsoft.Batch/operations", + "Microsoft.Batch/locations", + "Microsoft.Batch/locations/quotas", + "Microsoft.Batch/locations/checkNameAvailability", + "Microsoft.Batch/locations/accountOperationResults", + "Microsoft.Batch/locations/virtualMachineSkus", + "Microsoft.Batch/locations/cloudServiceSkus", + "Microsoft.Billing/billingPeriods", + "Microsoft.Billing/invoices", + "Microsoft.Billing/enrollmentAccounts", + "Microsoft.Billing/permissionRequests", + "Microsoft.Billing/billingAccounts/permissionRequests", + "Microsoft.Billing/billingAccounts/associatedTenants", + "Microsoft.Billing/billingRoleDefinitions", + "Microsoft.Billing/billingRoleAssignments", + "Microsoft.Billing/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/signAgreement", + "Microsoft.Billing/billingAccounts/previewAgreements", + "Microsoft.Billing/billingAccounts/billingProfiles/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/customers/createBillingRoleAssignment", + "Microsoft.Billing/billingPermissions", + "Microsoft.Billing/billingAccounts/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts", + "Microsoft.Billing/billingAccounts/billingProfilesSummaries", + "Microsoft.Billing/billingAccounts/billingProfiles/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/billingPermissions", + "Microsoft.Billing/billingAccounts/customers", + "Microsoft.Billing/billingAccounts/billingProfiles/customers", + "Microsoft.Billing/billingAccounts/billingProfiles/instructions", + "Microsoft.Billing/billingAccounts/customers/billingSubscriptions", + "Microsoft.Billing/billingAccounts/customers/products", + "Microsoft.Billing/billingAccounts/customers/transactions", + "Microsoft.Billing/billingAccounts/invoiceSections", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingPermissions", + "Microsoft.Billing/billingAccounts/customers/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/customers/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/customers/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingPermissions", + "Microsoft.Billing/billingAccounts/invoiceSections/elevate", + "Microsoft.Billing/billingAccounts/createInvoiceSectionOperations", + "Microsoft.Billing/billingAccounts/patchOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/patchOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/productMoveOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptionMoveOperations", + "Microsoft.Billing/billingAccounts/listInvoiceSectionsWithCreateSubscriptionPermission", + "Microsoft.Billing/billingAccounts/billingProfiles", + "Microsoft.Billing/billingAccounts/BillingProfiles/patchOperations", + "Microsoft.Billing/departments", + "Microsoft.Billing/billingAccounts/departments", + "Microsoft.Billing/billingAccounts/billingProfiles/departments", + "Microsoft.Billing/billingAccounts/notificationContacts", + "Microsoft.Billing/billingAccounts/billingProfiles/notificationContacts", + "Microsoft.Billing/billingAccounts/departments/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/departments/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/departments/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingPermissions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/departments/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/departments/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/paymentMethods", + "Microsoft.Billing/billingAccounts/availableBalance", + "Microsoft.Billing/billingAccounts/billingProfiles/availableBalance", + "Microsoft.Billing/billingAccounts/invoices", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices", + "Microsoft.Billing/billingAccounts/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/transactions", + "Microsoft.Billing/billingAccounts/invoiceSections/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/transactions", + "Microsoft.Billing/billingAccounts/invoices/transactions", + "Microsoft.Billing/billingAccounts/invoices/summary", + "Microsoft.Billing/billingAccounts/billingProfiles/validateDeleteBillingProfileEligibility", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/validateDeleteInvoiceSectionEligibility", + "Microsoft.Billing/billingAccounts/invoices/transactionSummary", + "Microsoft.Billing/billingAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingSubscriptionAliases", + "Microsoft.Billing/billingAccounts/billingSubscriptions/invoices", + "Microsoft.Billing/billingAccounts/billingSubscriptions/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions", + "Microsoft.Billing/billingAccounts/invoiceSections/products", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products", + "Microsoft.Billing/billingAccounts/invoiceSections/products/updateAutoRenew", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/updateAutoRenew", + "Microsoft.Billing/billingAccounts/billingProfiles/products", + "Microsoft.Billing/billingAccounts/products", + "Microsoft.Billing/operations", + "Microsoft.Billing/billingAccounts/invoiceSections/initiateTransfer", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/initiateTransfer", + "Microsoft.Billing/billingAccounts/invoiceSections/transfers", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/transfers", + "Microsoft.Billing/transfers/acceptTransfer", + "Microsoft.Billing/transfers", + "Microsoft.Billing/transfers/declineTransfer", + "Microsoft.Billing/transfers/validateTransfer", + "Microsoft.Billing/billingAccounts/customers/initiateTransfer", + "Microsoft.Billing/billingAccounts/customers/transfers", + "Microsoft.Billing/billingAccounts/customers/transferSupportedAccounts", + "Microsoft.Billing/billingProperty", + "Microsoft.Billing/policies", + "Microsoft.Billing/billingAccounts/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/policies", + "Microsoft.Billing/billingAccounts/customers/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/pricesheet", + "Microsoft.Billing/billingAccounts/billingProfiles/pricesheet", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptions/transfer", + "Microsoft.Billing/billingAccounts/invoiceSections/products/transfer", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/transfer", + "Microsoft.Billing/billingAccounts/invoiceSections/productTransfersResults", + "Microsoft.Billing/billingAccounts/agreements", + "Microsoft.Billing/billingAccounts/lineOfCredit", + "Microsoft.Billing/billingAccounts/paymentMethods", + "Microsoft.Billing/paymentMethods", + "Microsoft.Billing/billingAccounts/billingProfiles/paymentMethodLinks", + "Microsoft.Billing/billingAccounts/payableOverage", + "Microsoft.Billing/billingAccounts/payNow", + "Microsoft.Billing/billingAccounts/reservationOrders", + "Microsoft.Billing/billingAccounts/reservationOrders/reservations", + "Microsoft.Billing/billingAccounts/reservations", + "Microsoft.Billing/billingAccounts/billingProfiles/reservations", + "Microsoft.Billing/billingAccounts/billingProfiles/validateDetachPaymentMethodEligibility", + "Microsoft.Billing/validateAddress", + "Microsoft.Billing/promotions", + "Microsoft.Billing/promotions/checkeligibility", + "Microsoft.Billing/billingAccounts/billingSubscriptions/elevateRole", + "Microsoft.Billing/billingAccounts/appliedReservationOrders", + "Microsoft.Billing/promotionalCredits", + "Microsoft.Billing/billingAccounts/promotionalCredits", + "Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans", + "Microsoft.Billing/billingAccounts/savingsPlanOrders", + "Microsoft.Billing/billingAccounts/savingsPlans", + "Microsoft.Billing/billingAccounts/alerts", + "Microsoft.Billing/billingAccounts/billingProfiles/alerts", + "Microsoft.Billing/billingAccounts/listProductRecommendations", + "Microsoft.Billing/billingAccounts/incentiveSchedules", + "Microsoft.Billing/billingAccounts/incentiveSchedules/milestones", + "Microsoft.Billing/operationStatus", + "Microsoft.Billing/transfers/operationStatus", + "Microsoft.Billing/operationResults", + "Microsoft.Billing/billingAccounts/operationResults", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/operationResults", + "Microsoft.Billing/billingAccounts/billingProfiles/pricesheetDownloadOperations", + "Microsoft.Billing/billingAccounts/billingSubscriptions/operationResults", + "Microsoft.Billing/billingAccounts/billingSubscriptions/invoices/operationResults", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/activationStatus", + "Microsoft.Billing/billingAccounts/invoices/operationResults", + "Microsoft.Billing/promotionalCredits/operationResults", + "Microsoft.Billing/billingAccounts/addresses", + "Microsoft.BillingBenefits/savingsPlanOrders", + "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans", + "Microsoft.BillingBenefits/savingsPlanOrders/return", + "Microsoft.BillingBenefits/validate", + "Microsoft.BillingBenefits/calculateMigrationCost", + "Microsoft.BillingBenefits/operationResults", + "Microsoft.BillingBenefits/operations", + "Microsoft.BillingBenefits/savingsPlanOrderAliases", + "Microsoft.BillingBenefits/reservationOrderAliases", + "Microsoft.BillingBenefits/savingsPlans", + "Microsoft.BillingBenefits/incentiveSchedules", + "Microsoft.BillingBenefits/incentiveSchedules/milestones", + "Microsoft.BillingBenefits/maccs", + "Microsoft.BillingBenefits/maccs/contributors", + "Microsoft.BillingBenefits/listSellerResources", + "Microsoft.BillingBenefits/credits", + "Microsoft.Bing/locations", + "Microsoft.Bing/accounts/skus", + "Microsoft.Bing/accounts/usages", + "Microsoft.Bing/registeredSubscriptions", + "Microsoft.Bing/operations", + "Microsoft.Bing/locations/operationStatuses", + "Microsoft.Bing/accounts", + "Microsoft.BlockchainTokens/Operations", + "Microsoft.Capacity/resourceProviders", + "Microsoft.Capacity/resourceProviders/locations", + "Microsoft.Capacity/resourceProviders/locations/serviceLimits", + "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests", + "Microsoft.Capacity/resources", + "Microsoft.Capacity/reservationOrders", + "Microsoft.Capacity/reservationOrders/reservations", + "Microsoft.Capacity/listbenefits", + "Microsoft.Capacity/reservations", + "Microsoft.Capacity/reservationOrders/reservations/revisions", + "Microsoft.Capacity/operations", + "Microsoft.Capacity/catalogs", + "Microsoft.Capacity/appliedReservations", + "Microsoft.Capacity/checkOffers", + "Microsoft.Capacity/checkScopes", + "Microsoft.Capacity/calculatePrice", + "Microsoft.Capacity/calculateExchange", + "Microsoft.Capacity/exchange", + "Microsoft.Capacity/reservationOrders/calculateRefund", + "Microsoft.Capacity/reservationOrders/return", + "Microsoft.Capacity/reservationOrders/split", + "Microsoft.Capacity/reservationOrders/merge", + "Microsoft.Capacity/reservationOrders/swap", + "Microsoft.Capacity/reservationOrders/changeDirectory", + "Microsoft.Capacity/validateReservationOrder", + "Microsoft.Capacity/reservationOrders/availableScopes", + "Microsoft.Capacity/reservationOrders/reservations/availableScopes", + "Microsoft.Capacity/commercialReservationOrders", + "Microsoft.Capacity/calculatePurchasePrice", + "Microsoft.Capacity/placePurchaseOrder", + "Microsoft.Capacity/checkPurchaseStatus", + "Microsoft.Capacity/ownReservations", + "Microsoft.Capacity/operationResults", + "Microsoft.Capacity/listSkus", + "Microsoft.Capacity/checkBenefitScopes", + "Microsoft.Carbon/carbonEmissionReports", + "Microsoft.Carbon/queryCarbonEmissionDataAvailableDateRange", + "Microsoft.Carbon/operations", + "Microsoft.CertificateRegistration/certificateOrders", + "Microsoft.CertificateRegistration/certificateOrders/certificates", + "Microsoft.CertificateRegistration/validateCertificateRegistrationInformation", + "Microsoft.CertificateRegistration/operations", + "Microsoft.Certify/operations", + "Microsoft.ChangeAnalysis/operations", + "Microsoft.ChangeAnalysis/resourceChanges", + "Microsoft.ChangeAnalysis/changes", + "Microsoft.ChangeAnalysis/changeSnapshots", + "Microsoft.ChangeAnalysis/computeChanges", + "Microsoft.Chaos/operations", + "Microsoft.Chaos/targets", + "Microsoft.Chaos/locations", + "Microsoft.Chaos/locations/targetTypes", + "Microsoft.Chaos/experiments", + "Microsoft.Chaos/locations/operationStatuses", + "Microsoft.Chaos/locations/operationResults", + "Microsoft.Chaos/privateAccesses", + "Microsoft.ClassicCompute/domainNames", + "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", + "Microsoft.ClassicCompute/checkDomainNameAvailability", + "Microsoft.ClassicCompute/domainNames/slots", + "Microsoft.ClassicCompute/domainNames/slots/roles", + "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", + "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", + "Microsoft.ClassicCompute/virtualMachines", + "Microsoft.ClassicCompute/capabilities", + "Microsoft.ClassicCompute/domainNames/capabilities", + "Microsoft.ClassicCompute/domainNames/serviceCertificates", + "Microsoft.ClassicCompute/quotas", + "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", + "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", + "Microsoft.ClassicCompute/virtualMachines/metrics", + "Microsoft.ClassicCompute/operations", + "Microsoft.ClassicCompute/resourceTypes", + "Microsoft.ClassicCompute/moveSubscriptionResources", + "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", + "Microsoft.ClassicCompute/operationStatuses", + "Microsoft.ClassicCompute/operatingSystems", + "Microsoft.ClassicCompute/operatingSystemFamilies", + "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", + "Microsoft.ClassicNetwork/virtualNetworks", + "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", + "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", + "Microsoft.ClassicNetwork/reservedIps", + "Microsoft.ClassicNetwork/quotas", + "Microsoft.ClassicNetwork/gatewaySupportedDevices", + "Microsoft.ClassicNetwork/operations", + "Microsoft.ClassicNetwork/networkSecurityGroups", + "Microsoft.ClassicNetwork/capabilities", + "Microsoft.ClassicNetwork/expressRouteCrossConnections", + "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", + "Microsoft.ClassicStorage/storageAccounts", + "Microsoft.ClassicStorage/quotas", + "Microsoft.ClassicStorage/checkStorageAccountAvailability", + "Microsoft.ClassicStorage/storageAccounts/services", + "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", + "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/services/metrics", + "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/metrics", + "Microsoft.ClassicStorage/capabilities", + "Microsoft.ClassicStorage/storageAccounts/blobServices", + "Microsoft.ClassicStorage/storageAccounts/tableServices", + "Microsoft.ClassicStorage/storageAccounts/fileServices", + "Microsoft.ClassicStorage/storageAccounts/queueServices", + "Microsoft.ClassicStorage/disks", + "Microsoft.ClassicStorage/images", + "Microsoft.ClassicStorage/vmImages", + "Microsoft.ClassicStorage/storageAccounts/vmImages", + "Microsoft.ClassicStorage/publicImages", + "Microsoft.ClassicStorage/osImages", + "Microsoft.ClassicStorage/osPlatformImages", + "Microsoft.ClassicStorage/operations", + "Microsoft.ClassicSubscription/operations", + "Microsoft.CleanRoom/Locations", + "Microsoft.CleanRoom/Operations", + "Microsoft.CleanRoom/Locations/OperationStatuses", + "Microsoft.CloudHealth/Locations", + "Microsoft.CloudHealth/Locations/operationstatuses", + "Microsoft.CloudHealth/Operations", + "Microsoft.CloudShell/operations", + "Microsoft.CloudTest/accounts", + "Microsoft.CloudTest/pools", + "Microsoft.CloudTest/hostedpools", + "Microsoft.CloudTest/images", + "Microsoft.CloudTest/operations", + "Microsoft.CloudTest/locations", + "Microsoft.CloudTest/locations/operations", + "Microsoft.CodeSigning/Locations", + "Microsoft.CodeSigning/Locations/OperationStatuses", + "Microsoft.CodeSigning/Operations", + "Microsoft.CodeSigning/checkNameAvailability", + "Microsoft.Commerce/UsageAggregates", + "Microsoft.Commerce/RateCard", + "Microsoft.Commerce/operations", + "Microsoft.Communication/Locations", + "Microsoft.Communication/CommunicationServices", + "Microsoft.Communication/CommunicationServices/eventGridFilters", + "Microsoft.Communication/operations", + "Microsoft.Communication/registeredSubscriptions", + "Microsoft.Communication/locations/operationStatuses", + "Microsoft.Communication/CheckNameAvailability", + "Microsoft.Communication/EmailServices", + "Microsoft.Communication/EmailServices/Domains", + "Microsoft.Communication/EmailServices/Domains/SenderUsernames", + "Microsoft.Community/communityTrainings", + "Microsoft.Community/Operations", + "Microsoft.Community/Locations", + "Microsoft.Community/Locations/OperationStatuses", + "Microsoft.ComputeSchedule/Locations", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ConfidentialLedger/operations", + "Microsoft.Confluent/operations", + "Microsoft.Confluent/locations", + "Microsoft.Confluent/locations/OperationStatuses", + "Microsoft.Confluent/organizations", + "Microsoft.Confluent/checkNameAvailability", + "Microsoft.Confluent/agreements", + "Microsoft.Confluent/validations", + "Microsoft.Confluent/organizations/access", + "Microsoft.Confluent/organizations/access/deleteRoleBinding", + "Microsoft.Confluent/organizations/environments", + "Microsoft.Confluent/organizations/environments/clusters", + "Microsoft.Confluent/organizations/environments/schemaRegistryClusters", + "Microsoft.Confluent/organizations/environments/clusters/createAPIKey", + "Microsoft.Confluent/organizations/apiKeys", + "Microsoft.Confluent/organizations/listRegions", + "Microsoft.ConnectedCache/cacheNodes", + "Microsoft.ConnectedCache/enterpriseCustomers", + "Microsoft.ConnectedCache/Operations", + "Microsoft.ConnectedCache/locations", + "Microsoft.ConnectedCache/locations/operationstatuses", + "Microsoft.ConnectedCache/ispCustomers", + "Microsoft.ConnectedCache/ispCustomers/ispCacheNodes", + "Microsoft.ConnectedCache/enterpriseMccCustomers", + "Microsoft.ConnectedCache/enterpriseMccCustomers/enterpriseMccCacheNodes", + "Microsoft.ConnectedCache/registeredSubscriptions", + "Microsoft.ConnectedCredentials/locations", + "Microsoft.ConnectedCredentials/locations/operationstatuses", + "Microsoft.ConnectedCredentials/credentials", + "Microsoft.ConnectedCredentials/operations", + "microsoft.connectedopenstack/operations", + "microsoft.connectedopenstack/locations", + "microsoft.connectedopenstack/locations/operationStatuses", + "Microsoft.ConnectedVehicle/locations", + "Microsoft.ConnectedVehicle/operations", + "Microsoft.ConnectedVehicle/Locations/OperationStatuses", + "Microsoft.ConnectedVehicle/checkNameAvailability", + "Microsoft.ConnectedVehicle/registeredSubscriptions", + "Microsoft.ConnectedVMwarevSphere/locations", + "Microsoft.ConnectedVMwarevSphere/locations/operationstatuses", + "Microsoft.ConnectedVMwarevSphere/VCenters", + "Microsoft.ConnectedVMwarevSphere/resourcepools", + "Microsoft.ConnectedVMwarevSphere/virtualnetworks", + "Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates", + "Microsoft.ConnectedVMwarevSphere/operations", + "Microsoft.ConnectedVMwarevSphere/virtualmachines", + "Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/hybrididentitymetadata", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/extensions", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/guestagents", + "Microsoft.ConnectedVMwarevSphere/clusters", + "Microsoft.ConnectedVMwarevSphere/datastores", + "Microsoft.ConnectedVMwarevSphere/hosts", + "Microsoft.ConnectedVMwarevSphere/virtualmachineinstances", + "Microsoft.CostManagement/Connectors", + "Microsoft.CostManagement/CloudConnectors", + "Microsoft.CostManagement/CheckConnectorEligibility", + "Microsoft.CostManagement/ExternalBillingAccounts", + "Microsoft.CostManagement/ExternalBillingAccounts/Dimensions", + "Microsoft.CostManagement/ExternalBillingAccounts/Query", + "Microsoft.CostManagement/ExternalSubscriptions/Dimensions", + "Microsoft.CostManagement/ExternalSubscriptions/Query", + "Microsoft.CostManagement/ExternalSubscriptions", + "Microsoft.CostManagement/Forecast", + "Microsoft.CostManagement/ExternalSubscriptions/Forecast", + "Microsoft.CostManagement/ExternalBillingAccounts/Forecast", + "Microsoft.CostManagement/Settings", + "Microsoft.CostManagement/operations", + "Microsoft.CostManagement/register", + "Microsoft.CostManagement/Query", + "Microsoft.CostManagement/Dimensions", + "Microsoft.CostManagement/Budgets", + "Microsoft.CostManagement/ExternalSubscriptions/Alerts", + "Microsoft.CostManagement/ExternalBillingAccounts/Alerts", + "Microsoft.CostManagement/Alerts", + "Microsoft.CostManagement/showbackRules", + "Microsoft.CostManagement/costAllocationRules", + "Microsoft.CostManagement/Exports", + "Microsoft.CostManagement/Reports", + "Microsoft.CostManagement/Reportconfigs", + "Microsoft.CostManagement/BillingAccounts", + "Microsoft.CostManagement/Departments", + "Microsoft.CostManagement/EnrollmentAccounts", + "Microsoft.CostManagement/Views", + "Microsoft.CostManagement/Publish", + "Microsoft.CostManagement/ScheduledActions", + "Microsoft.CostManagement/CheckNameAvailability", + "Microsoft.CostManagement/BenefitUtilizationSummaries", + "Microsoft.CostManagement/BenefitRecommendations", + "Microsoft.CostManagement/Insights", + "Microsoft.CostManagement/fetchPrices", + "Microsoft.CostManagement/fetchMicrosoftPrices", + "Microsoft.CostManagement/fetchMarketplacePrices", + "Microsoft.CostManagement/calculatePrice", + "Microsoft.CostManagement/CalculateCost", + "Microsoft.CostManagement/GenerateBenefitUtilizationSummariesReport", + "Microsoft.CostManagement/BenefitUtilizationSummariesOperationResults", + "Microsoft.CostManagement/GenerateReservationDetailsReport", + "Microsoft.CostManagement/ReservationDetailsOperationResults", + "Microsoft.CostManagement/GenerateDetailedCostReport", + "Microsoft.CostManagement/GenerateCostDetailsReport", + "Microsoft.CostManagement/CostDetailsOperationResults", + "Microsoft.CostManagement/OperationStatus", + "Microsoft.CostManagement/OperationResults", + "Microsoft.CostManagement/Pricesheets", + "Microsoft.CostManagement/MarkupRules", + "Microsoft.CostManagement/StartConversation", + "Microsoft.CostManagement/SendMessage", + "Microsoft.CostManagementExports/Operations", + "Microsoft.CustomerLockbox/operations", + "Microsoft.CustomerLockbox/TenantOptedIn", + "Microsoft.CustomerLockbox/EnableLockbox", + "Microsoft.CustomerLockbox/DisableLockbox", + "Microsoft.CustomerLockbox/requests", + "Microsoft.D365CustomerInsights/instances", + "Microsoft.D365CustomerInsights/operations", + "Microsoft.Dashboard/locations", + "Microsoft.Dashboard/checkNameAvailability", + "Microsoft.Dashboard/locations/operationStatuses", + "Microsoft.Dashboard/grafana", + "Microsoft.Dashboard/operations", + "Microsoft.Dashboard/grafana/privateEndpointConnections", + "Microsoft.Dashboard/grafana/privateLinkResources", + "Microsoft.Dashboard/locations/checkNameAvailability", + "Microsoft.Dashboard/grafana/managedPrivateEndpoints", + "Microsoft.DatabaseWatcher/locations", + "Microsoft.DatabaseWatcher/operations", + "Microsoft.DataBox/jobs", + "Microsoft.DataBox/locations", + "Microsoft.DataBox/locations/validateAddress", + "Microsoft.DataBox/locations/checkNameAvailability", + "Microsoft.DataBox/locations/operationresults", + "Microsoft.DataBox/operations", + "Microsoft.DataBox/locations/availableSkus", + "Microsoft.DataBox/locations/validateInputs", + "Microsoft.DataBox/locations/regionConfiguration", + "Microsoft.DataBox/jobs/eventGridFilters", + "Microsoft.DataBoxEdge/DataBoxEdgeDevices", + "Microsoft.DataBoxEdge/DataBoxEdgeDevices/checkNameAvailability", + "Microsoft.DataBoxEdge/operations", + "Microsoft.DataBoxEdge/availableSkus", + "Microsoft.DataCatalog/catalogs", + "Microsoft.DataCatalog/checkNameAvailability", + "Microsoft.DataCatalog/operations", + "Microsoft.DataCatalog/locations", + "Microsoft.DataCatalog/locations/jobs", + "Microsoft.Datadog/registeredSubscriptions", + "Microsoft.Datadog/locations", + "Microsoft.Datadog/locations/operationStatuses", + "Microsoft.Datadog/operations", + "Microsoft.Datadog/monitors", + "Microsoft.Datadog/monitors/tagRules", + "Microsoft.Datadog/monitors/listMonitoredResources", + "Microsoft.Datadog/monitors/listApiKeys", + "Microsoft.Datadog/monitors/getDefaultKey", + "Microsoft.Datadog/monitors/setDefaultKey", + "Microsoft.Datadog/monitors/singleSignOnConfigurations", + "Microsoft.Datadog/monitors/listHosts", + "Microsoft.Datadog/monitors/listLinkedResources", + "Microsoft.Datadog/monitors/refreshSetPasswordLink", + "Microsoft.Datadog/agreements", + "Microsoft.Datadog/monitors/monitoredSubscriptions", + "Microsoft.Datadog/subscriptionStatuses", + "Microsoft.DataFactory/factories", + "Microsoft.DataFactory/factories/integrationRuntimes", + "Microsoft.DataFactory/factories/privateEndpointConnectionProxies", + "Microsoft.DataFactory/CheckNameAvailability", + "Microsoft.DataFactory/operations", + "Microsoft.DataFactory/locations", + "Microsoft.DataFactory/locations/configureFactoryRepo", + "Microsoft.DataFactory/locations/getFeatureValue", + "Microsoft.DataReplication/replicationVaults", + "Microsoft.DataReplication/replicationFabrics", + "Microsoft.DataReplication/operations", + "Microsoft.DataShare/accounts", + "Microsoft.DataShare/accounts/shares", + "Microsoft.DataShare/accounts/shares/datasets", + "Microsoft.DataShare/accounts/shares/synchronizationSettings", + "Microsoft.DataShare/accounts/shares/invitations", + "Microsoft.DataShare/accounts/sharesubscriptions", + "Microsoft.DataShare/accounts/shares/providersharesubscriptions", + "Microsoft.DataShare/accounts/sharesubscriptions/datasetmappings", + "Microsoft.DataShare/accounts/sharesubscriptions/triggers", + "Microsoft.DataShare/accounts/sharesubscriptions/consumerSourceDataSets", + "Microsoft.DataShare/listinvitations", + "Microsoft.DataShare/locations", + "Microsoft.DataShare/locations/operationResults", + "Microsoft.DataShare/locations/registerEmail", + "Microsoft.DataShare/locations/activateEmail", + "Microsoft.DataShare/locations/rejectInvitation", + "Microsoft.DataShare/locations/consumerInvitations", + "Microsoft.DataShare/operations", + "Microsoft.DelegatedNetwork/operations", + "Microsoft.DevAI/Locations", + "Microsoft.DevAI/Locations/operationstatuses", + "Microsoft.DevAI/instances", + "Microsoft.DevAI/instances/experiments", + "Microsoft.DevAI/instances/sandboxes", + "Microsoft.DevAI/instances/sandboxes/experiments", + "Microsoft.DevAI/Operations", + "Microsoft.DevAI/registeredSubscriptions", + "Microsoft.DevCenter/operations", + "Microsoft.DevCenter/Locations", + "Microsoft.DevCenter/Locations/OperationStatuses", + "Microsoft.DevCenter/devcenters", + "Microsoft.DevCenter/devcenters/catalogs", + "Microsoft.DevCenter/devcenters/attachednetworks", + "Microsoft.DevCenter/devcenters/devboxdefinitions", + "Microsoft.DevCenter/devcenters/environmentTypes", + "Microsoft.DevCenter/devcenters/galleries", + "Microsoft.DevCenter/devcenters/galleries/images/versions", + "Microsoft.DevCenter/devcenters/galleries/images", + "Microsoft.DevCenter/devcenters/images", + "Microsoft.DevCenter/networkconnections", + "Microsoft.DevCenter/networkconnections/healthchecks", + "Microsoft.DevCenter/projects", + "Microsoft.DevCenter/projects/attachednetworks", + "Microsoft.DevCenter/projects/environmentTypes", + "Microsoft.DevCenter/projects/pools", + "Microsoft.DevCenter/projects/pools/schedules", + "Microsoft.DevCenter/projects/devboxdefinitions", + "Microsoft.DevCenter/projects/allowedEnvironmentTypes", + "Microsoft.DevCenter/checkNameAvailability", + "Microsoft.DevCenter/networkconnections/outboundNetworkDependenciesEndpoints", + "Microsoft.DevCenter/Locations/usages", + "Microsoft.DevCenter/devcenters/catalogs/devboxdefinitions", + "Microsoft.DevCenter/devcenters/catalogs/environmentDefinitions", + "Microsoft.DevCenter/devcenters/catalogs/tasks", + "Microsoft.DevCenter/checkScopedNameAvailability", + "Microsoft.DevelopmentWindows365/DevelopmentCloudPcDelegatedMsis", + "Microsoft.DevHub/operations", + "Microsoft.DevHub/workflows", + "Microsoft.DevHub/locations", + "Microsoft.DevHub/locations/githuboauth", + "Microsoft.DevHub/locations/generatePreviewArtifacts", + "Microsoft.DeviceRegistry/locations", + "Microsoft.DeviceRegistry/operations", + "Microsoft.DeviceRegistry/operationStatuses", + "Microsoft.DeviceRegistry/locations/operationStatuses", + "Microsoft.DeviceRegistry/assets", + "Microsoft.DeviceRegistry/assetEndpointProfiles", + "Microsoft.DeviceUpdate/locations", + "Microsoft.DeviceUpdate/locations/operationStatuses", + "Microsoft.DeviceUpdate/operations", + "Microsoft.DeviceUpdate/accounts", + "Microsoft.DeviceUpdate/accounts/instances", + "Microsoft.DeviceUpdate/checkNameAvailability", + "Microsoft.DeviceUpdate/registeredSubscriptions", + "Microsoft.DeviceUpdate/accounts/privateLinkResources", + "Microsoft.DeviceUpdate/accounts/privateEndpointConnections", + "Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies", + "Microsoft.DigitalTwins/locations", + "Microsoft.DigitalTwins/locations/checkNameAvailability", + "Microsoft.DigitalTwins/digitalTwinsInstances", + "Microsoft.DigitalTwins/digitalTwinsInstances/operationResults", + "Microsoft.DigitalTwins/locations/operationResults", + "Microsoft.DigitalTwins/locations/operationsStatuses", + "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", + "Microsoft.DigitalTwins/digitalTwinsInstances/timeSeriesDatabaseConnections", + "Microsoft.DigitalTwins/operations", + "Microsoft.DomainRegistration/domains", + "Microsoft.DomainRegistration/domains/domainOwnershipIdentifiers", + "Microsoft.DomainRegistration/topLevelDomains", + "Microsoft.DomainRegistration/checkDomainAvailability", + "Microsoft.DomainRegistration/listDomainRecommendations", + "Microsoft.DomainRegistration/validateDomainRegistrationInformation", + "Microsoft.DomainRegistration/generateSsoRequest", + "Microsoft.DomainRegistration/operations", + "Microsoft.Easm/workspaces", + "Microsoft.Easm/workspaces/labels", + "Microsoft.Easm/operations", + "Microsoft.Easm/workspaces/tasks", + "Microsoft.EdgeManagement/locations", + "Microsoft.EdgeManagement/operations", + "Microsoft.EdgeMarketplace/operations", + "Microsoft.EdgeMarketplace/locations", + "Microsoft.EdgeMarketplace/locations/operationStatuses", + "Microsoft.EdgeMarketplace/publishers", + "Microsoft.EdgeMarketplace/offers", + "Microsoft.EdgeOrder/addresses", + "Microsoft.EdgeOrder/orderItems", + "Microsoft.EdgeOrder/orders", + "Microsoft.EdgeOrder/locations", + "Microsoft.EdgeOrder/locations/orders", + "Microsoft.EdgeOrder/listProductFamilies", + "Microsoft.EdgeOrder/listConfigurations", + "Microsoft.EdgeOrder/productFamiliesMetadata", + "Microsoft.EdgeOrder/locations/hciCatalog", + "Microsoft.EdgeOrder/locations/hciCatalog/vendors", + "Microsoft.EdgeOrder/locations/hciCatalog/platforms", + "Microsoft.EdgeOrder/locations/hciCatalog/projects", + "Microsoft.EdgeOrder/locations/hciFlightCatalog", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/vendors", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/platforms", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/projects", + "Microsoft.EdgeOrder/operations", + "Microsoft.EdgeOrder/locations/operationresults", + "Microsoft.EdgeOrderPartner/operations", + "Microsoft.Elastic/operations", + "Microsoft.Elastic/locations", + "Microsoft.Elastic/locations/operationStatuses", + "Microsoft.Elastic/monitors", + "Microsoft.Elastic/monitors/tagRules", + "Microsoft.Elastic/checkNameAvailability", + "Microsoft.Elastic/elasticVersions", + "Microsoft.Elastic/getOrganizationApiKey", + "Microsoft.Elastic/getElasticOrganizationToAzureSubscriptionMapping", + "Microsoft.ElasticSan/elasticSans", + "Microsoft.ElasticSan/elasticSans/volumeGroups", + "Microsoft.ElasticSan/operations", + "Microsoft.ElasticSan/locations/asyncoperations", + "Microsoft.ElasticSan/locations", + "Microsoft.EnterpriseSupport/EnterpriseSupports", + "Microsoft.EnterpriseSupport/operationStatuses", + "Microsoft.EnterpriseSupport/validate", + "Microsoft.EnterpriseSupport/Operations", + "Microsoft.EntitlementManagement/Operations", + "Microsoft.Experimentation/Operations", + "Microsoft.ExtendedLocation/locations", + "Microsoft.ExtendedLocation/customLocations", + "Microsoft.ExtendedLocation/customLocations/enabledResourceTypes", + "Microsoft.ExtendedLocation/customLocations/resourceSyncRules", + "Microsoft.ExtendedLocation/locations/operationsstatus", + "Microsoft.ExtendedLocation/locations/operationresults", + "Microsoft.ExtendedLocation/operations", + "Microsoft.Fabric/capacities", + "Microsoft.Fabric/locations", + "Microsoft.Fabric/locations/checkNameAvailability", + "Microsoft.Fabric/locations/operationresults", + "Microsoft.Fabric/locations/operationstatuses", + "Microsoft.Fabric/operations", + "Microsoft.Falcon/namespaces", + "Microsoft.Features/features", + "Microsoft.Features/providers", + "Microsoft.Features/featureProviders", + "Microsoft.Features/subscriptionFeatureRegistrations", + "Microsoft.Features/featureProviderNamespaces", + "Microsoft.Features/featureConfigurations", + "Microsoft.Features/operations", + "Microsoft.FluidRelay/fluidRelayServers", + "Microsoft.FluidRelay/Operations", + "Microsoft.FluidRelay/fluidRelayServers/fluidRelayContainers", + "Microsoft.FluidRelay/Locations", + "Microsoft.FluidRelay/Locations/OperationStatuses", + "Microsoft.GraphServices/accounts", + "Microsoft.GraphServices/Operations", + "Microsoft.GraphServices/RegisteredSubscriptions", + "Microsoft.GraphServices/Locations", + "Microsoft.GraphServices/Locations/OperationStatuses", + "Microsoft.HanaOnAzure/hanaInstances", + "Microsoft.HanaOnAzure/locations/operationsStatus", + "Microsoft.HanaOnAzure/locations", + "Microsoft.HanaOnAzure/locations/operations", + "Microsoft.HanaOnAzure/operations", + "Microsoft.HardwareSecurityModules/cloudHsmClusters", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.HealthBot/Operations", + "Microsoft.HealthBot/Locations", + "Microsoft.HealthBot/Locations/OperationStatuses", + "Microsoft.HealthBot/healthBots", + "Microsoft.HealthDataAIServices/locations", + "Microsoft.HealthDataAIServices/locations/operationStatuses", + "Microsoft.HealthDataAIServices/Operations", + "Microsoft.HealthModel/Operations", + "Microsoft.Help/operations", + "Microsoft.Help/operationResults", + "Microsoft.Help/discoverySolutions", + "Microsoft.Help/discoverSolutions", + "Microsoft.Help/diagnostics", + "Microsoft.Help/checkNameAvailability", + "Microsoft.Help/solutions", + "Microsoft.Help/troubleshooters", + "Microsoft.Help/SelfHelp", + "Microsoft.HybridCloud/cloudConnectors", + "Microsoft.HybridCloud/cloudConnections", + "Microsoft.HybridCompute/machines", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata", + "Microsoft.HybridCompute/machines/privateLinkScopes", + "Microsoft.HybridCompute/machines/extensions", + "Microsoft.HybridCompute/locations", + "Microsoft.HybridCompute/locations/publishers", + "Microsoft.HybridCompute/locations/publishers/extensionTypes", + "Microsoft.HybridCompute/locations/publishers/extensionTypes/versions", + "Microsoft.HybridCompute/locations/operationStatus", + "Microsoft.HybridCompute/locations/operationResults", + "Microsoft.HybridCompute/operations", + "Microsoft.HybridCompute/machines/assessPatches", + "Microsoft.HybridCompute/machines/installPatches", + "Microsoft.HybridCompute/locations/updateCenterOperationResults", + "Microsoft.HybridCompute/privateLinkScopes", + "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections", + "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.HybridCompute/locations/privateLinkScopes", + "Microsoft.HybridCompute/osType", + "Microsoft.HybridCompute/osType/agentVersions", + "Microsoft.HybridCompute/osType/agentVersions/latest", + "Microsoft.HybridCompute/machines/runcommands", + "Microsoft.HybridCompute/machines/licenseProfiles", + "Microsoft.HybridCompute/licenses", + "Microsoft.HybridCompute/validateLicense", + "Microsoft.HybridCompute/networkConfigurations", + "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations", + "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterAssociationProxies", + "Microsoft.HybridCompute/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.HybridCompute/locations/notifyExtension", + "Microsoft.HybridConnectivity/endpoints", + "Microsoft.HybridConnectivity/Operations", + "Microsoft.HybridConnectivity/Locations", + "Microsoft.HybridConnectivity/Locations/OperationStatuses", + "Microsoft.HybridContainerService/Locations", + "Microsoft.HybridContainerService/Locations/operationStatuses", + "Microsoft.HybridContainerService/provisionedClusters", + "Microsoft.HybridContainerService/provisionedClusters/hybridIdentityMetadata", + "Microsoft.HybridContainerService/provisionedClusters/agentPools", + "Microsoft.HybridContainerService/virtualNetworks", + "Microsoft.HybridContainerService/Operations", + "Microsoft.HybridContainerService/provisionedClusters/upgradeProfiles", + "Microsoft.HybridContainerService/kubernetesVersions", + "Microsoft.HybridContainerService/skus", + "Microsoft.HybridContainerService/provisionedClusterInstances", + "Microsoft.HybridNetwork/Operations", + "Microsoft.HybridNetwork/Locations", + "Microsoft.HybridNetwork/Locations/OperationStatuses", + "Microsoft.HybridNetwork/devices", + "Microsoft.HybridNetwork/networkfunctions", + "Microsoft.HybridNetwork/networkFunctionVendors", + "Microsoft.HybridNetwork/networkFunctions/components", + "Microsoft.HybridNetwork/sites", + "Microsoft.HybridNetwork/siteNetworkServices", + "Microsoft.HybridNetwork/configurationGroupValues", + "Microsoft.HybridNetwork/publishers", + "Microsoft.HybridNetwork/publishers/networkFunctionDefinitionGroups", + "Microsoft.HybridNetwork/publishers/networkFunctionDefinitionGroups/networkFunctionDefinitionVersions", + "Microsoft.HybridNetwork/publishers/artifactStores", + "Microsoft.HybridNetwork/publishers/artifactStores/artifactManifests", + "Microsoft.HybridNetwork/publishers/artifactstores/artifacts", + "Microsoft.HybridNetwork/publishers/artifactstores/artifactversions", + "Microsoft.Impact/Operations", + "Microsoft.IntegrationSpaces/Spaces", + "Microsoft.IntegrationSpaces/Spaces/InfrastructureResources", + "Microsoft.IntegrationSpaces/Spaces/Applications", + "Microsoft.IntegrationSpaces/Spaces/applications/resources", + "Microsoft.IntegrationSpaces/Spaces/applications/BusinessProcesses", + "Microsoft.IntegrationSpaces/Spaces/applications/BusinessProcesses/versions", + "Microsoft.IntegrationSpaces/locations", + "Microsoft.IntegrationSpaces/locations/OperationStatuses", + "Microsoft.IntegrationSpaces/operations", + "Microsoft.IoTCentral/IoTApps", + "Microsoft.IoTCentral/checkNameAvailability", + "Microsoft.IoTCentral/checkSubdomainAvailability", + "Microsoft.IoTCentral/operations", + "Microsoft.IoTCentral/locations", + "Microsoft.IoTCentral/locations/operationResults", + "Microsoft.IoTCentral/appTemplates", + "Microsoft.IoTFirmwareDefense/operations", + "Microsoft.IoTFirmwareDefense/workspaces", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/sbomComponents", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/binaryHardeningResults", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoCertificates", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoKeys", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/passwordHashes", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cves", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/summaries", + "Microsoft.IoTFirmwareDefense/locations", + "Microsoft.IoTFirmwareDefense/locations/operationStatuses", + "Microsoft.IoTOperationsDataProcessor/locations", + "Microsoft.IoTOperationsDataProcessor/locations/operationStatuses", + "Microsoft.IoTOperationsDataProcessor/instances", + "Microsoft.IoTOperationsDataProcessor/instances/datasets", + "Microsoft.IoTOperationsDataProcessor/instances/pipelines", + "Microsoft.IoTOperationsDataProcessor/operations", + "Microsoft.IoTOperationsMQ/Locations", + "Microsoft.IoTOperationsMQ/Operations", + "Microsoft.IoTOperationsMQ/Locations/OperationStatuses", + "Microsoft.IoTOperationsMQ/mq", + "Microsoft.IoTOperationsMQ/mq/broker", + "Microsoft.IoTOperationsMQ/mq/broker/authentication", + "Microsoft.IoTOperationsMQ/mq/broker/authorization", + "Microsoft.IoTOperationsMQ/mq/broker/listener", + "Microsoft.IoTOperationsMQ/mq/dataLakeConnector", + "Microsoft.IoTOperationsMQ/mq/dataLakeConnector/topicMap", + "Microsoft.IoTOperationsMQ/mq/diagnosticService", + "Microsoft.IoTOperationsMQ/mq/kafkaConnector", + "Microsoft.IoTOperationsMQ/mq/kafkaConnector/topicMap", + "Microsoft.IoTOperationsMQ/mq/mqttBridgeConnector", + "Microsoft.IoTOperationsMQ/mq/mqttBridgeConnector/topicMap", + "Microsoft.IoTOperationsOrchestrator/locations", + "Microsoft.IoTOperationsOrchestrator/locations/operationStatuses", + "Microsoft.IoTOperationsOrchestrator/targets", + "Microsoft.IoTOperationsOrchestrator/solutions", + "Microsoft.IoTOperationsOrchestrator/instances", + "Microsoft.IoTOperationsOrchestrator/operations", + "Microsoft.IoTSecurity/Operations", + "Microsoft.IoTSecurity/defenderSettings", + "Microsoft.IoTSecurity/locations", + "Microsoft.IoTSecurity/locations/deviceGroups", + "Microsoft.IoTSecurity/locations/deviceGroups/devices", + "Microsoft.IoTSecurity/locations/endpoints", + "Microsoft.IoTSecurity/locations/deviceGroups/vulnerabilities", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts/pcaps", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts/learn", + "Microsoft.IoTSecurity/locations/deviceGroups/recommendations", + "Microsoft.IoTSecurity/locations/sites", + "Microsoft.IoTSecurity/locations/sites/sensors", + "Microsoft.IoTSecurity/sites", + "Microsoft.IoTSecurity/sensors", + "Microsoft.IoTSecurity/onPremiseSensors", + "Microsoft.IoTSecurity/alertTypes", + "Microsoft.IoTSecurity/recommendationTypes", + "Microsoft.IoTSecurity/licenseSkus", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/extensionTypes", + "Microsoft.KubernetesConfiguration/locations/extensionTypes", + "Microsoft.KubernetesConfiguration/locations/extensionTypes/versions", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.KubernetesRuntime/storageClasses", + "Microsoft.KubernetesRuntime/loadBalancers", + "Microsoft.KubernetesRuntime/bgpPeers", + "Microsoft.KubernetesRuntime/operations", + "Microsoft.KubernetesRuntime/locations", + "Microsoft.KubernetesRuntime/locations/operationStatuses", + "Microsoft.KubernetesRuntime/services", + "Microsoft.LabServices/labplans", + "Microsoft.LabServices/labs", + "Microsoft.LabServices/labaccounts", + "Microsoft.LabServices/locations/operationResults", + "Microsoft.LabServices/locations/operations", + "Microsoft.LabServices/operations", + "Microsoft.LabServices/users", + "Microsoft.LabServices/locations", + "Microsoft.LabServices/locations/usages", + "Microsoft.LoadTestService/operations", + "Microsoft.LoadTestService/checkNameAvailability", + "Microsoft.LoadTestService/loadtests", + "Microsoft.LoadTestService/Locations", + "Microsoft.LoadTestService/Locations/OperationStatuses", + "Microsoft.LoadTestService/registeredSubscriptions", + "Microsoft.LoadTestService/loadtests/outboundNetworkDependenciesEndpoints", + "Microsoft.LoadTestService/Locations/Quotas", + "Microsoft.Logz/operations", + "Microsoft.Logz/locations", + "Microsoft.Logz/registeredSubscriptions", + "Microsoft.Logz/locations/operationStatuses", + "Microsoft.Logz/monitors", + "Microsoft.Logz/monitors/tagRules", + "Microsoft.Logz/monitors/singleSignOnConfigurations", + "Microsoft.Logz/monitors/accounts", + "Microsoft.Logz/monitors/accounts/tagRules", + "Microsoft.MachineLearning/Workspaces", + "Microsoft.MachineLearning/webServices", + "Microsoft.MachineLearning/operations", + "Microsoft.MachineLearning/locations", + "Microsoft.MachineLearning/locations/operations", + "Microsoft.MachineLearning/locations/operationsStatus", + "Microsoft.MachineLearning/commitmentPlans", + "Microsoft.ManagedNetworkFabric/Operations", + "Microsoft.ManagedNetworkFabric/NetworkFabricControllers", + "Microsoft.ManagedNetworkFabric/Locations", + "Microsoft.ManagedNetworkFabric/Locations/OperationStatuses", + "Microsoft.ManagedNetworkFabric/NetworkFabrics", + "Microsoft.ManagedNetworkFabric/NetworkRacks", + "Microsoft.ManagedNetworkFabric/NetworkDevices", + "Microsoft.ManagedNetworkFabric/NetworkDevices/NetworkInterfaces", + "Microsoft.ManagedNetworkFabric/L2IsolationDomains", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains", + "Microsoft.ManagedNetworkFabric/accesscontrollists", + "Microsoft.ManagedNetworkFabric/RoutePolicies", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains/externalNetworks", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains/internalNetworks", + "Microsoft.ManagedNetworkFabric/NetworkFabrics/NetworkToNetworkInterconnects", + "Microsoft.ManagedNetworkFabric/IpExtendedCommunities", + "Microsoft.ManagedNetworkFabric/IpCommunities", + "Microsoft.ManagedNetworkFabric/IpPrefixes", + "Microsoft.ManagedNetworkFabric/InternetGateways", + "Microsoft.ManagedNetworkFabric/internetgatewayrules", + "Microsoft.ManagedNetworkFabric/networkpacketbrokers", + "Microsoft.ManagedNetworkFabric/networktaps", + "Microsoft.ManagedNetworkFabric/networktaprules", + "Microsoft.ManagedNetworkFabric/neighborgroups", + "Microsoft.ManufacturingPlatform/locations", + "Microsoft.ManufacturingPlatform/operations", + "Microsoft.Marketplace/register", + "Microsoft.Marketplace/privategalleryitems", + "Microsoft.Marketplace/products", + "Microsoft.Marketplace/offers", + "Microsoft.Marketplace/macc", + "Microsoft.Marketplace/offerTypes", + "Microsoft.Marketplace/offerTypes/publishers", + "Microsoft.Marketplace/offerTypes/publishers/offers", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs/importImage", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements", + "Microsoft.Marketplace/operations", + "Microsoft.Marketplace/listAvailableOffers", + "Microsoft.Marketplace/publishers", + "Microsoft.Marketplace/publishers/offers", + "Microsoft.Marketplace/publishers/offers/amendments", + "Microsoft.Marketplace/privateStoreClient", + "Microsoft.Marketplace/privateStores", + "Microsoft.Marketplace/privateStores/offers", + "Microsoft.Marketplace/search", + "Microsoft.Marketplace/privateStores/requestApprovals/query", + "Microsoft.Marketplace/privateStores/requestApprovals/withdrawPlan", + "Microsoft.Marketplace/privateStores/RequestApprovals", + "Microsoft.Marketplace/privateStores/queryNotificationsState", + "Microsoft.Marketplace/privateStores/fetchAllSubscriptionsInTenant", + "Microsoft.Marketplace/privateStores/listNewPlansNotifications", + "Microsoft.Marketplace/privateStores/listStopSellOffersPlansNotifications", + "Microsoft.Marketplace/privateStores/listSubscriptionsContext", + "Microsoft.Marketplace/privateStores/offers/acknowledgeNotification", + "Microsoft.Marketplace/privateStores/AdminRequestApprovals", + "Microsoft.Marketplace/privateStores/collections", + "Microsoft.Marketplace/privateStores/collections/approveAllItems", + "Microsoft.Marketplace/privateStores/collections/disableApproveAllItems", + "Microsoft.Marketplace/privateStores/collections/offers", + "Microsoft.Marketplace/privateStores/collections/mapOffersToContexts", + "Microsoft.Marketplace/privateStores/collections/queryRules", + "Microsoft.Marketplace/privateStores/collections/setRules", + "Microsoft.Marketplace/privateStores/collections/offers/upsertOfferWithMultiContext", + "Microsoft.Marketplace/privateStores/bulkCollectionsAction", + "Microsoft.Marketplace/privateStores/collections/transferOffers", + "Microsoft.Marketplace/privateStores/anyExistingOffersInTheCollections", + "Microsoft.Marketplace/privateStores/queryOffers", + "Microsoft.Marketplace/privateStores/queryUserOffers", + "Microsoft.Marketplace/privateStores/queryUserRules", + "Microsoft.Marketplace/privateStores/collectionsToSubscriptionsMapping", + "Microsoft.Marketplace/privateStores/billingAccounts", + "Microsoft.Marketplace/privateStores/queryApprovedPlans", + "Microsoft.Marketplace/locations", + "Microsoft.Marketplace/locations/edgeZones", + "Microsoft.Marketplace/locations/edgeZones/products", + "Microsoft.Marketplace/mysolutions", + "Microsoft.Marketplace/products/reviews", + "Microsoft.Marketplace/products/reviews/comments", + "Microsoft.Marketplace/products/reviews/helpful", + "Microsoft.Marketplace/products/usermetadata", + "Microsoft.MarketplaceOrdering/agreements", + "Microsoft.MarketplaceOrdering/operations", + "Microsoft.MarketplaceOrdering/offertypes", + "Microsoft.Migrate/migrateprojects", + "Microsoft.Migrate/assessmentProjects", + "Microsoft.Migrate/moveCollections", + "Microsoft.Migrate/operations", + "Microsoft.Migrate/locations", + "Microsoft.Migrate/locations/rmsOperationResults", + "Microsoft.Migrate/modernizeProjects", + "Microsoft.Mission/Locations", + "Microsoft.Mission/Locations/OperationStatuses", + "Microsoft.Mission/Operations", + "Microsoft.Mission/virtualEnclaves/endpoints", + "Microsoft.Mission/checkNameAvailability", + "Microsoft.MobileNetwork/Locations", + "Microsoft.MobileNetwork/Locations/OperationStatuses", + "Microsoft.MobileNetwork/Operations", + "Microsoft.MobileNetwork/packetCoreControlPlaneVersions", + "Microsoft.MobilePacketCore/Locations", + "Microsoft.MobilePacketCore/Locations/OperationStatuses", + "Microsoft.MobilePacketCore/Operations", + "Microsoft.ModSimWorkbench/Locations/operationStatuses", + "Microsoft.ModSimWorkbench/Locations", + "Microsoft.ModSimWorkbench/Operations", + "Microsoft.Monitor/operations", + "Microsoft.Monitor/accounts", + "Microsoft.Monitor/locations/locationOperationStatuses", + "Microsoft.Monitor/locations/operationResults", + "Microsoft.Monitor/locations", + "Microsoft.Monitor/locations/operationStatuses", + "Microsoft.MySQLDiscovery/locations", + "Microsoft.MySQLDiscovery/locations/operationStatuses", + "Microsoft.MySQLDiscovery/MySQLSites", + "Microsoft.MySQLDiscovery/MySQLSites/MySQLServers", + "Microsoft.MySQLDiscovery/MySQLSites/Refresh", + "Microsoft.MySQLDiscovery/MySQLSites/Summaries", + "Microsoft.MySQLDiscovery/MySQLSites/ErrorSummaries", + "Microsoft.MySQLDiscovery/operations", + "Microsoft.NetApp/netAppAccounts", + "Microsoft.NetApp/netAppAccounts/snapshotPolicies", + "Microsoft.NetApp/netAppAccounts/volumeGroups", + "Microsoft.NetApp/netAppAccounts/capacityPools", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/mountTargets", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots", + "Microsoft.NetApp/locations", + "Microsoft.NetApp/locations/checkNameAvailability", + "Microsoft.NetApp/locations/checkFilePathAvailability", + "Microsoft.NetApp/operations", + "Microsoft.NetApp/locations/checkQuotaAvailability", + "Microsoft.NetApp/locations/queryNetworkSiblingSet", + "Microsoft.NetApp/locations/updateNetworkSiblingSet", + "Microsoft.NetApp/locations/regionInfo", + "Microsoft.NetApp/locations/regionInfos", + "Microsoft.NetApp/locations/QuotaLimits", + "Microsoft.NetApp/locations/CheckInventory", + "Microsoft.NetApp/locations/operationResults", + "Microsoft.NetworkAnalytics/Locations", + "Microsoft.NetworkAnalytics/Locations/OperationStatuses", + "Microsoft.NetworkAnalytics/Operations", + "Microsoft.NetworkAnalytics/registeredSubscriptions", + "Microsoft.NetworkCloud/locations", + "Microsoft.NetworkCloud/locations/operationStatuses", + "Microsoft.NetworkCloud/clusterManagers", + "Microsoft.NetworkCloud/racks", + "Microsoft.NetworkCloud/clusters", + "Microsoft.NetworkCloud/bareMetalMachines", + "Microsoft.NetworkCloud/virtualMachines", + "Microsoft.NetworkCloud/operations", + "Microsoft.NetworkCloud/rackSkus", + "Microsoft.NetworkCloud/cloudServicesNetworks", + "Microsoft.NetworkCloud/l2Networks", + "Microsoft.NetworkCloud/storageAppliances", + "Microsoft.NetworkCloud/trunkedNetworks", + "Microsoft.NetworkCloud/l3Networks", + "Microsoft.NetworkCloud/clusters/metricsConfigurations", + "Microsoft.NetworkCloud/virtualMachines/consoles", + "Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets", + "Microsoft.NetworkCloud/clusters/bmcKeySets", + "Microsoft.NetworkCloud/volumes", + "Microsoft.NetworkCloud/registeredSubscriptions", + "Microsoft.NetworkCloud/kubernetesClusters", + "Microsoft.NetworkCloud/kubernetesClusters/agentPools", + "Microsoft.NetworkFunction/azureTrafficCollectors", + "Microsoft.NetworkFunction/azureTrafficCollectors/collectorPolicies", + "Microsoft.NetworkFunction/meshVpns", + "Microsoft.NetworkFunction/meshVpns/connectionPolicies", + "Microsoft.NetworkFunction/meshVpns/privateEndpointConnections", + "Microsoft.NetworkFunction/meshVpns/privateEndpointConnectionProxies", + "Microsoft.NetworkFunction/operations", + "Microsoft.NetworkFunction/locations", + "Microsoft.NetworkFunction/locations/nfvOperations", + "Microsoft.NetworkFunction/locations/nfvOperationResults", + "Microsoft.Nutanix/operations", + "Microsoft.Nutanix/locations", + "Microsoft.ObjectStore/osNamespaces", + "Microsoft.OffAzure/VMwareSites", + "Microsoft.OffAzure/HyperVSites", + "Microsoft.OffAzure/ServerSites", + "Microsoft.OffAzure/ImportSites", + "Microsoft.OffAzure/MasterSites", + "Microsoft.OffAzure/locations", + "Microsoft.OffAzure/locations/operationResults", + "Microsoft.OffAzure/operations", + "Microsoft.OffAzureSpringBoot/locations", + "Microsoft.OffAzureSpringBoot/locations/operationStatuses", + "Microsoft.OffAzureSpringBoot/springbootsites", + "Microsoft.OffAzureSpringBoot/springbootsites/springbootservers", + "Microsoft.OffAzureSpringBoot/springbootsites/springbootapps", + "Microsoft.OffAzureSpringBoot/operations", + "Microsoft.OffAzureSpringBoot/springbootsites/summaries", + "Microsoft.OffAzureSpringBoot/springbootsites/errorsummaries", + "Microsoft.OpenEnergyPlatform/Locations", + "Microsoft.OpenEnergyPlatform/Locations/OperationStatuses", + "Microsoft.OpenEnergyPlatform/energyservices", + "Microsoft.OpenEnergyPlatform/checkNameAvailability", + "Microsoft.OpenEnergyPlatform/Operations", + "Microsoft.OpenEnergyPlatform/energyservices/privateEndpointConnections", + "Microsoft.OpenEnergyPlatform/energyservices/privateLinkResources", + "Microsoft.OpenEnergyPlatform/energyservices/privateEndpointConnectionProxies", + "Microsoft.OperatorVoicemail/Operations", + "Microsoft.OperatorVoicemail/Locations", + "Microsoft.OperatorVoicemail/Locations/OperationStatuses", + "Microsoft.OperatorVoicemail/Locations/checkNameAvailability", + "Microsoft.OracleDiscovery/locations", + "Microsoft.OracleDiscovery/locations/operationStatuses", + "Microsoft.OracleDiscovery/oraclesites", + "Microsoft.OracleDiscovery/oraclesites/oracleservers", + "Microsoft.OracleDiscovery/oraclesites/oracledatabases", + "Microsoft.OracleDiscovery/oraclesites/summaries", + "Microsoft.OracleDiscovery/oraclesites/errorSummaries", + "Microsoft.OracleDiscovery/operations", + "Microsoft.Orbital/availableGroundStations", + "Microsoft.Orbital/contactProfiles", + "Microsoft.Orbital/spacecrafts", + "Microsoft.Orbital/spacecrafts/contacts", + "Microsoft.Orbital/groundStations", + "Microsoft.Orbital/globalCommunicationsSites", + "Microsoft.Orbital/l2Connections", + "Microsoft.Orbital/edgeSites", + "Microsoft.Orbital/operations", + "Microsoft.Orbital/locations", + "Microsoft.Orbital/locations/operationResults", + "Microsoft.Orbital/locations/operationStatuses", + "Microsoft.PartnerManagedConsumerRecurrence/recurrences", + "Microsoft.PartnerManagedConsumerRecurrence/operations", + "Microsoft.PartnerManagedConsumerRecurrence/checkEligibility", + "Microsoft.PartnerManagedConsumerRecurrence/operationStatuses", + "Microsoft.Peering/peerings", + "Microsoft.Peering/peeringLocations", + "Microsoft.Peering/legacyPeerings", + "Microsoft.Peering/peerAsns", + "Microsoft.Peering/peeringServices", + "Microsoft.Peering/peeringServiceCountries", + "Microsoft.Peering/peeringServiceLocations", + "Microsoft.Peering/peeringServiceProviders", + "Microsoft.Peering/checkServiceProviderAvailability", + "Microsoft.Peering/lookingGlass", + "Microsoft.Peering/cdnPeeringPrefixes", + "Microsoft.Peering/operations", + "Microsoft.Pki/Operations", + "Microsoft.Portal/dashboards", + "Microsoft.Portal/tenantconfigurations", + "Microsoft.Portal/listTenantConfigurationViolations", + "Microsoft.Portal/operations", + "Microsoft.Portal/locations", + "Microsoft.Portal/consoles", + "Microsoft.Portal/locations/consoles", + "Microsoft.Portal/userSettings", + "Microsoft.Portal/locations/userSettings", + "Microsoft.PowerBI/workspaceCollections", + "Microsoft.PowerBI/locations", + "Microsoft.PowerBI/locations/checkNameAvailability", + "Microsoft.PowerBI/privateLinkServicesForPowerBI", + "Microsoft.PowerBI/privateLinkServicesForPowerBI/operationResults", + "Microsoft.PowerBI/operations", + "Microsoft.PowerPlatform/operations", + "Microsoft.PowerPlatform/enterprisePolicies", + "Microsoft.PowerPlatform/accounts", + "Microsoft.PowerPlatform/locations", + "Microsoft.PowerPlatform/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.PowerPlatform/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.ProfessionalService/checkNameAvailability", + "Microsoft.ProfessionalService/eligibilityCheck", + "Microsoft.ProfessionalService/operationResults", + "Microsoft.ProfessionalService/operations", + "Microsoft.ProfessionalService/resources", + "Microsoft.ProgrammableConnectivity/operations", + "Microsoft.ProgrammableConnectivity/locations", + "Microsoft.ProgrammableConnectivity/locations/operationStatuses", + "Microsoft.ProgrammableConnectivity/gateways", + "Microsoft.ProgrammableConnectivity/openApiGateways", + "Microsoft.ProgrammableConnectivity/openApiGatewayOfferings", + "Microsoft.ProgrammableConnectivity/OperatorOfferings", + "Microsoft.ProgrammableConnectivity/OperatorConnections", + "Microsoft.ProgrammableConnectivity/operatorApiPlans", + "Microsoft.ProgrammableConnectivity/operatorApiConnections", + "Microsoft.ProviderHub/providerRegistrations", + "Microsoft.ProviderHub/operationStatuses", + "Microsoft.ProviderHub/providerRegistrations/resourceTypeRegistrations", + "Microsoft.ProviderHub/providerRegistrations/defaultRollouts", + "Microsoft.ProviderHub/providerRegistrations/customRollouts", + "Microsoft.ProviderHub/providerRegistrations/checkinmanifest", + "Microsoft.ProviderHub/providerRegistrations/resourceActions", + "Microsoft.ProviderHub/availableAccounts", + "Microsoft.ProviderHub/providerRegistrations/authorizedApplications", + "Microsoft.Purview/accounts", + "Microsoft.Purview/accounts/kafkaConfigurations", + "Microsoft.Purview/operations", + "Microsoft.Purview/setDefaultAccount", + "Microsoft.Purview/removeDefaultAccount", + "Microsoft.Purview/getDefaultAccount", + "Microsoft.Purview/checkNameAvailability", + "Microsoft.Purview/locations", + "Microsoft.Purview/locations/operationResults", + "Microsoft.Purview/locations/listFeatures", + "Microsoft.Purview/locations/usages", + "Microsoft.Purview/policies", + "Microsoft.Quantum/Workspaces", + "Microsoft.Quantum/Operations", + "Microsoft.Quantum/Locations", + "Microsoft.Quantum/Locations/OperationStatuses", + "Microsoft.Quantum/locations/offerings", + "Microsoft.Quantum/Locations/CheckNameAvailability", + "Microsoft.Quota/usages", + "Microsoft.Quota/quotas", + "Microsoft.Quota/quotaRequests", + "Microsoft.Quota/operationsStatus", + "Microsoft.Quota/operations", + "Microsoft.Quota/groupQuotas", + "Microsoft.Quota/groupQuotas/groupQuotaLimits", + "Microsoft.Quota/groupQuotas/subscriptions", + "Microsoft.Quota/groupQuotas/groupQuotaRequests", + "Microsoft.Quota/groupQuotas/quotaAllocations", + "Microsoft.Quota/groupQuotas/quotaAllocationRequests", + "Microsoft.Quota/groupQuotas/groupQuotaOperationsStatus", + "Microsoft.Quota/groupQuotas/subscriptionRequests", + "Microsoft.Quota/groupQuotas/quotaAllocationOperationsStatus", + "Microsoft.RecommendationsService/locations", + "Microsoft.RecommendationsService/locations/operationStatuses", + "Microsoft.RecommendationsService/accounts", + "Microsoft.RecommendationsService/accounts/modeling", + "Microsoft.RecommendationsService/accounts/serviceEndpoints", + "Microsoft.RecommendationsService/operations", + "Microsoft.RecommendationsService/checkNameAvailability", + "Microsoft.RedHatOpenShift/locations", + "Microsoft.RedHatOpenShift/locations/operationresults", + "Microsoft.RedHatOpenShift/locations/operationsstatus", + "Microsoft.RedHatOpenShift/OpenShiftClusters", + "Microsoft.RedHatOpenShift/operations", + "Microsoft.RedHatOpenShift/locations/openshiftversions", + "Microsoft.ResourceConnector/locations", + "Microsoft.ResourceConnector/appliances", + "Microsoft.ResourceConnector/locations/operationsstatus", + "Microsoft.ResourceConnector/locations/operationresults", + "Microsoft.ResourceConnector/operations", + "Microsoft.ResourceConnector/telemetryconfig", + "Microsoft.ResourceGraph/resources", + "Microsoft.ResourceGraph/resourcesHistory", + "Microsoft.ResourceGraph/resourceChanges", + "Microsoft.ResourceGraph/resourceChangeDetails", + "Microsoft.ResourceGraph/operations", + "Microsoft.ResourceGraph/subscriptionsStatus", + "Microsoft.ResourceGraph/queries", + "Microsoft.ResourceGraph/generateQuery", + "Microsoft.ResourceNotifications/eventGridFilters", + "Microsoft.ResourceNotifications/operations", + "Microsoft.Resources/deploymentScripts", + "Microsoft.Resources/deploymentScripts/logs", + "Microsoft.Resources/locations/deploymentScriptOperationResults", + "Microsoft.Resources/templateSpecs", + "Microsoft.Resources/templateSpecs/versions", + "Microsoft.Resources/builtInTemplateSpecs", + "Microsoft.Resources/builtInTemplateSpecs/versions", + "Microsoft.Resources/deploymentStacks", + "Microsoft.Resources/locations/deploymentStackOperationStatus", + "Microsoft.Resources/mobobrokers", + "Microsoft.Resources/tenants", + "Microsoft.Resources/locations", + "Microsoft.Resources/operationresults", + "Microsoft.Resources/notifyResourceJobs", + "Microsoft.Resources/tags", + "Microsoft.Resources/checkPolicyCompliance", + "Microsoft.Resources/providers", + "Microsoft.Resources/checkresourcename", + "Microsoft.Resources/calculateTemplateHash", + "Microsoft.Resources/resources", + "Microsoft.Resources/subscriptions", + "Microsoft.Resources/subscriptions/resources", + "Microsoft.Resources/subscriptions/providers", + "Microsoft.Resources/subscriptions/operationresults", + "Microsoft.Resources/resourceGroups", + "Microsoft.Resources/subscriptions/resourceGroups", + "Microsoft.Resources/subscriptions/resourcegroups/resources", + "Microsoft.Resources/subscriptions/locations", + "Microsoft.Resources/subscriptions/tagnames", + "Microsoft.Resources/subscriptions/tagNames/tagValues", + "Microsoft.Resources/deployments", + "Microsoft.Resources/deployments/operations", + "Microsoft.Resources/validateResources", + "Microsoft.Resources/links", + "Microsoft.Resources/operations", + "Microsoft.Resources/bulkDelete", + "Microsoft.Resources/changes", + "Microsoft.Resources/snapshots", + "Microsoft.Resources/dataBoundaries", + "Microsoft.Resources/deploymentStacks/snapshots", + "Microsoft.Resources/checkZonePeers", + "Microsoft.SaaS/applications", + "Microsoft.SaaS/checknameavailability", + "Microsoft.SaaS/saasresources", + "Microsoft.SaaS/operationResults", + "Microsoft.SaaS/operations", + "Microsoft.SaaS/resources", + "Microsoft.SaaSHub/operationStatuses", + "Microsoft.SaaSHub/cloudServices", + "Microsoft.SaaSHub/operations", + "Microsoft.SaaSHub/registeredSubscriptions", + "Microsoft.SaaSHub/checkNameAvailability", + "Microsoft.SaaSHub/canCreate", + "Microsoft.SaaSHub/locations", + "Microsoft.SaaSHub/locations/operationStatuses", + "Microsoft.Scom/locations/operationStatuses", + "Microsoft.Scom/operations", + "Microsoft.Scom/locations", + "Microsoft.Scom/managedInstances", + "Microsoft.Scom/managedInstances/monitoredResources", + "Microsoft.Scom/managedInstances/managedGateways", + "Microsoft.ScVmm/locations", + "Microsoft.ScVmm/Locations/OperationStatuses", + "Microsoft.ScVmm/operations", + "Microsoft.ScVmm/VMMServers", + "Microsoft.ScVmm/Clouds", + "Microsoft.ScVmm/VirtualNetworks", + "Microsoft.ScVmm/VirtualMachineTemplates", + "Microsoft.ScVmm/VirtualMachines", + "Microsoft.ScVmm/AvailabilitySets", + "Microsoft.ScVmm/VMMServers/InventoryItems", + "Microsoft.ScVmm/VirtualMachines/HybridIdentityMetadata", + "Microsoft.ScVmm/VirtualMachines/GuestAgents", + "Microsoft.ScVmm/VirtualMachines/Extensions", + "Microsoft.ScVmm/VirtualMachineInstances", + "Microsoft.SecurityDetonation/chambers", + "Microsoft.SecurityDetonation/operations", + "Microsoft.SecurityDetonation/operationResults", + "Microsoft.SecurityDetonation/checkNameAvailability", + "Microsoft.SecurityDevOps/Locations", + "Microsoft.SecurityDevOps/Locations/OperationStatuses", + "Microsoft.SecurityDevOps/gitHubConnectors", + "Microsoft.SecurityDevOps/azureDevOpsConnectors", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs", + "Microsoft.SecurityDevOps/gitHubConnectors/owners", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects", + "Microsoft.SecurityDevOps/gitHubConnectors/owners/repos", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos", + "Microsoft.SecurityDevOps/Operations", + "Microsoft.SecurityDevOps/gitHubConnectors/stats", + "Microsoft.SecurityDevOps/gitHubConnectors/repos", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/stats", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/repos", + "Microsoft.SecurityDevOps/gitLabConnectors", + "Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations", + "Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/gitHubRepositories", + "Microsoft.SecurityDevOps/gitLabConnectors/groups", + "Microsoft.SecurityDevOps/gitLabConnectors/projects", + "Microsoft.SecurityDevOps/gitLabConnectors/stats", + "Microsoft.SecurityDevOps/gitLabConnectors/groups/projects", + "Microsoft.SerialConsole/consoleServices", + "Microsoft.SerialConsole/serialPorts", + "Microsoft.SerialConsole/locations", + "Microsoft.SerialConsole/locations/consoleServices", + "Microsoft.SerialConsole/operations", + "Microsoft.ServiceNetworking/trafficControllers", + "Microsoft.ServiceNetworking/trafficControllers/frontends", + "Microsoft.ServiceNetworking/trafficControllers/associations", + "Microsoft.ServiceNetworking/operations", + "Microsoft.ServiceNetworking/locations", + "Microsoft.ServiceNetworking/locations/operations", + "Microsoft.ServiceNetworking/locations/operationResults", + "Microsoft.ServicesHub/connectors", + "Microsoft.ServicesHub/workspaces", + "Microsoft.ServicesHub/supportOfferingEntitlement", + "Microsoft.ServicesHub/operations", + "Microsoft.ServicesHub/getRecommendationsContent", + "Microsoft.ServicesHub/connectors/connectorSpaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.SignalRService/WebPubSub", + "Microsoft.SignalRService/SignalR/replicas", + "Microsoft.SignalRService/WebPubSub/replicas", + "Microsoft.SignalRService/locations", + "Microsoft.SignalRService/locations/operationResults", + "Microsoft.SignalRService/locations/operationStatuses", + "Microsoft.SignalRService/operations", + "Microsoft.SignalRService/locations/checkNameAvailability", + "Microsoft.SignalRService/locations/usages", + "Microsoft.SignalRService/SignalR/eventGridFilters", + "Microsoft.Singularity/accounts", + "Microsoft.Singularity/accounts/storageContainers", + "Microsoft.Singularity/accounts/networks", + "Microsoft.Singularity/accounts/secrets", + "Microsoft.Singularity/accounts/accountQuotaPolicies", + "Microsoft.Singularity/accounts/groupPolicies", + "Microsoft.Singularity/accounts/jobs", + "Microsoft.Singularity/accounts/models", + "Microsoft.Singularity/locations", + "Microsoft.Singularity/locations/instanceTypeSeries", + "Microsoft.Singularity/locations/instanceTypeSeries/instanceTypes", + "Microsoft.Singularity/locations/operationResults", + "Microsoft.Singularity/locations/operationStatus", + "Microsoft.Singularity/operations", + "Microsoft.Singularity/images", + "Microsoft.Singularity/quotas", + "Microsoft.SoftwarePlan/hybridUseBenefits", + "Microsoft.SoftwarePlan/operations", + "Microsoft.Solutions/applications", + "Microsoft.Solutions/applicationDefinitions", + "Microsoft.Solutions/locations", + "Microsoft.Solutions/jitRequests", + "Microsoft.Solutions/locations/operationstatuses", + "Microsoft.Solutions/Operations", + "Microsoft.Sovereign/Locations", + "Microsoft.Sovereign/Locations/OperationStatuses", + "Microsoft.Sovereign/landingZoneConfigurations", + "Microsoft.Sovereign/landingZoneRegistrations", + "Microsoft.Sovereign/Operations", + "Microsoft.Sovereign/checkNameAvailability", + "Microsoft.SqlVirtualMachine/SqlVirtualMachineGroups", + "Microsoft.SqlVirtualMachine/SqlVirtualMachines", + "Microsoft.SqlVirtualMachine/SqlVirtualMachineGroups/AvailabilityGroupListeners", + "Microsoft.SqlVirtualMachine/operations", + "Microsoft.SqlVirtualMachine/Locations", + "Microsoft.SqlVirtualMachine/Locations/OperationTypes", + "Microsoft.SqlVirtualMachine/Locations/sqlVirtualMachineOperationResults", + "Microsoft.SqlVirtualMachine/Locations/sqlVirtualMachineGroupOperationResults", + "Microsoft.SqlVirtualMachine/Locations/availabilityGroupListenerOperationResults", + "Microsoft.SqlVirtualMachine/Locations/registerSqlVmCandidate", + "Microsoft.StandbyPool/Locations", + "Microsoft.StandbyPool/Locations/OperationStatuses", + "Microsoft.StandbyPool/Operations", + "Microsoft.StorageActions/storageTasks", + "Microsoft.StorageActions/operations", + "Microsoft.StorageActions/locations/asyncoperations", + "Microsoft.StorageActions/locations/previewActions", + "Microsoft.StorageActions/locations", + "Microsoft.StorageCache/caches", + "Microsoft.StorageCache/caches/storageTargets", + "Microsoft.StorageCache/amlFilesystems", + "Microsoft.StorageCache/operations", + "Microsoft.StorageCache/usageModels", + "Microsoft.StorageCache/checkAmlFSSubnets", + "Microsoft.StorageCache/getRequiredAmlFSSubnetsSize", + "Microsoft.StorageCache/locations", + "Microsoft.StorageCache/locations/ascoperations", + "Microsoft.StorageCache/locations/usages", + "Microsoft.StorageMover/storageMovers", + "Microsoft.StorageMover/storageMovers/projects", + "Microsoft.StorageMover/storageMovers/agents", + "Microsoft.StorageMover/storageMovers/endpoints", + "Microsoft.StorageMover/storageMovers/projects/jobDefinitions", + "Microsoft.StorageMover/operations", + "Microsoft.StorageMover/storageMovers/projects/jobDefinitions/jobRuns", + "Microsoft.StorageMover/locations", + "Microsoft.StorageMover/locations/operationStatuses", + "Microsoft.StorageSync/storageSyncServices", + "Microsoft.StorageSync/storageSyncServices/syncGroups", + "Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints", + "Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints", + "Microsoft.StorageSync/storageSyncServices/registeredServers", + "Microsoft.StorageSync/storageSyncServices/workflows", + "Microsoft.StorageSync/operations", + "Microsoft.StorageSync/locations", + "Microsoft.StorageSync/locations/checkNameAvailability", + "Microsoft.StorageSync/locations/workflows", + "Microsoft.StorageSync/locations/operations", + "Microsoft.StorageSync/locations/operationResults", + "Microsoft.StorageTasks/locations", + "Microsoft.Subscription/SubscriptionDefinitions", + "Microsoft.Subscription/SubscriptionOperations", + "Microsoft.Subscription/CreateSubscription", + "Microsoft.Subscription/operations", + "Microsoft.Subscription/cancel", + "Microsoft.Subscription/validateCancel", + "Microsoft.Subscription/rename", + "Microsoft.Subscription/enable", + "Microsoft.Subscription/subscriptions", + "Microsoft.Subscription/aliases", + "Microsoft.Subscription/operationResults", + "Microsoft.Subscription/acceptChangeTenant", + "Microsoft.Subscription/changeTenantStatus", + "Microsoft.Subscription/changeTenantRequest", + "Microsoft.Subscription/policies", + "Microsoft.Subscription/acceptOwnership", + "Microsoft.Subscription/acceptOwnershipStatus", + // Not supported in Mooncake + /* + "microsoft.support/operations", + "microsoft.support/checkNameAvailability", + "microsoft.support/classifyServices", + "microsoft.support/services", + "microsoft.support/services/problemclassifications", + "microsoft.support/supporttickets", + "microsoft.support/supporttickets/communications", + "microsoft.support/operationresults", + "microsoft.support/operationsstatus", + "microsoft.support/lookUpResourceId", + "microsoft.support/fileWorkspaces", + "microsoft.support/fileWorkspaces/files", + */ + "Microsoft.Synapse/workspaces", + "Microsoft.Synapse/workspaces/bigDataPools", + "Microsoft.Synapse/workspaces/sqlPools", + "Microsoft.Synapse/workspaces/sqlDatabases", + "Microsoft.Synapse/locations/sqlDatabaseAzureAsyncOperation", + "Microsoft.Synapse/locations/sqlDatabaseOperationResults", + "Microsoft.Synapse/workspaces/kustoPools", + "Microsoft.Synapse/locations/kustoPoolOperationResults", + "Microsoft.Synapse/locations/kustoPoolCheckNameAvailability", + "Microsoft.Synapse/workspaces/kustoPools/databases", + "Microsoft.Synapse/workspaces/kustoPools/attacheddatabaseconfigurations", + "Microsoft.Synapse/workspaces/kustoPools/databases/dataconnections", + "Microsoft.Synapse/locations/sqlPoolAzureAsyncOperation", + "Microsoft.Synapse/locations/sqlPoolOperationResults", + "Microsoft.Synapse/workspaces/operationStatuses", + "Microsoft.Synapse/workspaces/operationResults", + "Microsoft.Synapse/checkNameAvailability", + "Microsoft.Synapse/operations", + "Microsoft.Synapse/kustoOperations", + "Microsoft.Synapse/privateLinkHubs", + "Microsoft.Synapse/locations", + "Microsoft.Synapse/locations/operationResults", + "Microsoft.Synapse/locations/operationStatuses", + "Microsoft.Synapse/locations/usages", + "Microsoft.Synapse/workspaces/usages", + "Microsoft.Syntex/documentProcessors", + "Microsoft.Syntex/operations", + "Microsoft.Syntex/accounts", + "Microsoft.Syntex/Locations", + "Microsoft.Syntex/Locations/OperationStatuses", + "Microsoft.TestBase/locations", + "Microsoft.TestBase/locations/operationstatuses", + "Microsoft.TestBase/skus", + "Microsoft.TestBase/operations", + "Microsoft.TestBase/testBaseAccounts", + "Microsoft.TestBase/testBaseAccounts/usages", + "Microsoft.TestBase/testBaseAccounts/availableOSs", + "Microsoft.TestBase/testBaseAccounts/testTypes", + "Microsoft.TestBase/testBaseAccounts/flightingRings", + "Microsoft.TestBase/testBaseAccounts/packages", + "Microsoft.TestBase/testBaseAccounts/packages/osUpdates", + "Microsoft.TestBase/testBaseAccounts/testSummaries", + "Microsoft.TestBase/testBaseAccounts/packages/favoriteProcesses", + "Microsoft.TestBase/testBaseAccounts/packages/testResults", + "Microsoft.TestBase/testBaseAccounts/packages/testResults/analysisResults", + "Microsoft.TestBase/testBaseAccounts/emailEvents", + "Microsoft.TestBase/testBaseAccounts/customerEvents", + "Microsoft.TestBase/testBaseAccounts/featureUpdateSupportedOses", + "Microsoft.TestBase/testBaseAccounts/availableInplaceUpgradeOSs", + "Microsoft.TestBase/testBaseAccounts/firstPartyApps", + "Microsoft.TestBase/testBaseAccounts/draftPackages", + "Microsoft.TestBase/testBaseAccounts/actionRequests", + "Microsoft.TestBase/testBaseAccounts/testConfigurations", + "Microsoft.TestBase/testBaseAccounts/availableVMConfigurationTypes", + "Microsoft.TestBase/testBaseAccounts/customImages", + "Microsoft.TestBase/testBaseAccounts/vhds", + "Microsoft.TestBase/testBaseAccounts/imageDefinitions", + "Microsoft.TestBase/testBaseAccounts/galleryApps", + "Microsoft.TestBase/testBaseAccounts/galleryApps/galleryAppSkus", + "Microsoft.TestBase/testBaseAccounts/chatSessions", + "Microsoft.TestBase/testBaseAccounts/freeHourBalances", + "Microsoft.TestBase/testBaseAccounts/credentials", + "Microsoft.TestBase/testBaseAccounts/testConfigurations/testResults", + "Microsoft.UsageBilling/operations", + "Microsoft.VideoIndexer/operations", + "Microsoft.VideoIndexer/locations", + "Microsoft.VideoIndexer/locations/operationstatuses", + "Microsoft.VideoIndexer/accounts", + "Microsoft.VideoIndexer/checknameavailability", + "Microsoft.VideoIndexer/locations/userclassicaccounts", + "Microsoft.VideoIndexer/locations/classicaccounts", + "Microsoft.VirtualMachineImages/imageTemplates", + "Microsoft.VirtualMachineImages/imageTemplates/runOutputs", + "Microsoft.VirtualMachineImages/imageTemplates/triggers", + "Microsoft.VirtualMachineImages/locations", + "Microsoft.VirtualMachineImages/locations/operations", + "Microsoft.VirtualMachineImages/operations", + "microsoft.visualstudio/account", + "microsoft.visualstudio/operations", + "microsoft.visualstudio/account/extension", + "microsoft.visualstudio/checkNameAvailability", + "Microsoft.VMware/Locations", + "Microsoft.VMware/Locations/OperationStatuses", + "Microsoft.VMware/Operations", + "Microsoft.VMware/VCenters/InventoryItems", + "Microsoft.VoiceServices/Operations", + "Microsoft.VoiceServices/locations", + "Microsoft.VoiceServices/locations/checkNameAvailability", + "Microsoft.VoiceServices/registeredSubscriptions", + "Microsoft.VSOnline/accounts", + "Microsoft.VSOnline/plans", + "Microsoft.VSOnline/operations", + "Microsoft.VSOnline/registeredSubscriptions", + "Microsoft.WindowsIoT/DeviceServices", + "Microsoft.WindowsIoT/operations", + "Microsoft.WindowsPushNotificationServices/checkNameAvailability", + "Microsoft.WorkloadBuilder/Locations", + "Microsoft.WorkloadBuilder/Locations/OperationStatuses", + "Microsoft.WorkloadBuilder/Operations", + "Microsoft.Workloads/Locations", + "Microsoft.Workloads/Locations/OperationStatuses", + "Microsoft.Workloads/sapVirtualInstances", + "Microsoft.Workloads/sapVirtualInstances/applicationInstances", + "Microsoft.Workloads/sapVirtualInstances/centralInstances", + "Microsoft.Workloads/sapVirtualInstances/databaseInstances", + "Microsoft.Workloads/Operations", + "Microsoft.Workloads/monitors", + "Microsoft.Workloads/monitors/providerInstances", + "Microsoft.Workloads/Locations/sapVirtualInstanceMetadata", + "Microsoft.Workloads/connectors", + "Microsoft.Workloads/connectors/acssBackups", + "Microsoft.Workloads/monitors/sapLandscapeMonitor", + "NewRelic.Observability/operations", + "NewRelic.Observability/registeredSubscriptions", + "NewRelic.Observability/locations", + "NewRelic.Observability/locations/operationStatuses", + "NewRelic.Observability/monitors", + "NewRelic.Observability/monitors/tagRules", + "NewRelic.Observability/checkNameAvailability", + "NewRelic.Observability/accounts", + "NewRelic.Observability/plans", + "NewRelic.Observability/organizations", + "NewRelic.Observability/monitors/monitoredSubscriptions", + "NGINX.NGINXPLUS/operations", + "NGINX.NGINXPLUS/locations", + "NGINX.NGINXPLUS/locations/operationStatuses", + "NGINX.NGINXPLUS/nginxDeployments/configurations", + "NGINX.NGINXPLUS/nginxDeployments", + "NGINX.NGINXPLUS/nginxDeployments/certificates", + "Oracle.Database/Locations", + "Oracle.Database/Locations/OperationStatuses", + "Oracle.Database/Operations", + "PaloAltoNetworks.Cloudngfw/operations", + "PaloAltoNetworks.Cloudngfw/locations", + "PaloAltoNetworks.Cloudngfw/registeredSubscriptions", + "PaloAltoNetworks.Cloudngfw/checkNameAvailability", + "PaloAltoNetworks.Cloudngfw/Locations/operationStatuses", + "PaloAltoNetworks.Cloudngfw/firewalls", + "PaloAltoNetworks.Cloudngfw/localRulestacks", + "PaloAltoNetworks.Cloudngfw/globalRulestacks", + "PaloAltoNetworks.Cloudngfw/localRulestacks/localRules", + "PaloAltoNetworks.Cloudngfw/localRulestacks/fqdnlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/fqdnlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/preRules", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/postRules", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/prefixlists", + "PaloAltoNetworks.Cloudngfw/localRulestacks/prefixlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/certificates", + "PaloAltoNetworks.Cloudngfw/localRulestacks/certificates", + "PaloAltoNetworks.Cloudngfw/firewalls/statuses", + "PureStorage.Block/operations", + "PureStorage.Block/locations", + "PureStorage.Block/checkNameAvailability", + "PureStorage.Block/locations/operationStatuses", + "Qumulo.Storage/registeredSubscriptions", + "Qumulo.Storage/locations", + "Qumulo.Storage/locations/operationStatuses", + "Qumulo.Storage/checkNameAvailability", + "Qumulo.Storage/operations", + "Qumulo.Storage/fileSystems", + "SolarWinds.Observability/operations", + "SolarWinds.Observability/registeredSubscriptions", + "SolarWinds.Observability/locations", + "SolarWinds.Observability/locations/operationStatuses", + "SolarWinds.Observability/checkNameAvailability", + "SplitIO.Experimentation/operations", + "SplitIO.Experimentation/locations", + "SplitIO.Experimentation/locations/operationStatuses", + "SplitIO.Experimentation/checkNameAvailability", + "Wandisco.Fusion/Locations", + "Wandisco.Fusion/Locations/operationStatuses", + "Wandisco.Fusion/registeredSubscriptions", + "Wandisco.Fusion/Operations", + "Wandisco.Fusion/migrators", + "Wandisco.Fusion/migrators/targets", + "Wandisco.Fusion/migrators/liveDataMigrations", + "Wandisco.Fusion/migrators/exclusionTemplates", + "Wandisco.Fusion/migrators/metadataMigrations", + "Wandisco.Fusion/migrators/metadataTargets", + "Wandisco.Fusion/migrators/pathMappings", + "Wandisco.Fusion/migrators/dataTransferAgents", + "Wandisco.Fusion/migrators/verifications" + ] + + }, + "resources": [ + { + "condition": "[not(contains(variables('knownPolicyInitativeDefinitionIdsThatRequireParamaeters'), parameters('policySetDefinitionId')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]" + } + }, + { + // [Preview]: Australian Government ISM PROTECTED + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "membersToExclude": { + "value": "[parameters('regCompPolParAusGovIsmRestrictedVmAdminsExclude')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfResourceTypes": { + "value": "[if(equals(parameters('regCompPolParAusGovIsmRestrictedResourceTypes'), 'all'), variables('allResourceTypes'), createArray())]" + } + } + } + }, + { + // [Preview]: Motion Picture Association of America (MPAA) + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "certificateThumbprints": { + "value": "[parameters('regCompPolParMPAACertificateThumb')]" + }, + "applicationName": { + "value": "[parameters('regCompPolParMPAAApplicationName')]" + }, + "storagePrefix": { + "value": "[parameters('regCompPolParMPAAStoragePrefix')]" + }, + "rgName": { + "value": "[parameters('regCompPolParMPAAResGroupPrefix')]" + }, + "metricName": { + "value": "[parameters('regCompPolParMPAARBatchMetricName')]" + } + } + } + }, + { + // [Preview]: Sovereignty Baseline - Confidential Policies + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('regCompPolParSovBaseConfRegions')]" + } + } + } + }, + { + // [Preview]: Sovereignty Baseline - Global Policies + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('regCompPolParSovBaseGlobalRegions')]" + } + } + } + }, + { + // [Preview]: SWIFT CSP-CSCF v2020 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "workspaceIDsLogAnalyticsAgentShouldConnectTo": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParSwift2020VmAdminsInclude')]" + }, + "domainNameFQDN": { + "value": "[parameters('regCompPolParSwift2020DomainFqdn')]" + } + } + } + }, + { + // Canada Federal PBMM + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIdforVMReporting": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsExclude')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsInclude')]" + } + } + } + }, + { + // CIS Microsoft Azure Foundations Benchmark v2.0.0 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/06f19060-9e68-4070-92ca-f15cc126059e')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "maximumDaysToRotate-d8cf8476-a2ec-4916-896e-992351803c44": { + "value": "[parameters('regCompPolParCisV2KeyVaultKeysRotateDays')]" + } + } + } + }, + { + // CMMC Level 3 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsInclude')]" + }, + "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsExclude')]" + } + } + } + }, + { + // HITRUST/HIPAA + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "CertificateThumbprints": { + "value": "[parameters('regCompPolParHitrustHipaaCertificateThumb')]" + }, + "installedApplicationsOnWindowsVM": { + "value": "[parameters('regCompPolParHitrustHipaaApplicationName')]" + }, + "DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix": { + "value": "[parameters('regCompPolParHitrustHipaaStoragePrefix')]" + }, + "DeployDiagnosticSettingsforNetworkSecurityGroupsrgName": { + "value": "[parameters('regCompPolParHitrustHipaaResGroupPrefix')]" + } + } + } + }, + { + // IRS1075 September 2016 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIdforVMReporting": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsExclude')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsInclude')]" + } + } + } + }, + { + // New Zealand ISM Restricted + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsInclude')]" + }, + "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsExclude')]" + } + } + } + }, + { + // NIST SP 800-171 Rev. 2 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIDForVMAgents": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "membersToExcludeInLocalAdministratorsGroup": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsExclude')]" + }, + "membersToIncludeInLocalAdministratorsGroup": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsInclude')]" + } + } + } + }, + { + // SOC 2 Type 2 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/4054785f-702b-4a98-9215-009cbd58b141')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": { + "value": "[parameters('regCompPolParSoc2Type2AllowedRegistries')]" + }, + "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { + "value": "[parameters('regCompPolParSoc2Type2MaxCpuUnits')]" + }, + "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { + "value": "[parameters('regCompPolParSoc2Type2MaxMemoryBytes')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[parameters('policyAssignmentName')]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', parameters('policyAssignmentName')), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index 0ec8d09707..c6fe55442f 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -146,7 +146,6 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke.json') // Only difference is hard-coded template deployment location (handled by this template) - loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json') @@ -201,6 +200,7 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json') // Needs validating in AzureChinaCloud and AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Budget.json') // Needs validating in AzureChinaCloud (already used in AzureUSGovernment) loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json') // No obvious reason for exclusion from AzureChinaCloud and AzureUSGovernment, impacts "Deploy-Diagnostics-LogAnalytics" Policy Set Definition + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') // Not workin in AzureChinaCloud, needs validating in AzureUSGovernment ] AzureChinaCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP.AzureChinaCloud.json') // Used by "Deny-PublicPaaSEndpoints" Policy Set Definition to replace missing built-in Policy Definition in AzureChinaCloud From 5d77c32e0831cea814db9b7554b8883531e901bc Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Thu, 25 Jul 2024 13:46:00 +0800 Subject: [PATCH 05/35] Update for policy VM Autoshudown and role assignment --- .../policyDefinitions/Deploy-Vm-autoShutdown.json | 4 +--- src/templates/policies.bicep | 2 +- src/templates/roles.bicep | 6 ++++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json index e42d6a8f66..bcb614327a 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json @@ -13,9 +13,7 @@ "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ - "AzureCloud", - "AzureChinaCloud", - "AzureUSGovernment" + "AzureCloud" ] }, "parameters": { diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index c6fe55442f..27d17e29a3 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -200,7 +200,7 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json') // Needs validating in AzureChinaCloud and AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Budget.json') // Needs validating in AzureChinaCloud (already used in AzureUSGovernment) loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json') // No obvious reason for exclusion from AzureChinaCloud and AzureUSGovernment, impacts "Deploy-Diagnostics-LogAnalytics" Policy Set Definition - loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') // Not workin in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment ] AzureChinaCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP.AzureChinaCloud.json') // Used by "Deny-PublicPaaSEndpoints" Policy Set Definition to replace missing built-in Policy Definition in AzureChinaCloud diff --git a/src/templates/roles.bicep b/src/templates/roles.bicep index 43949f4699..b5370ba7cb 100644 --- a/src/templates/roles.bicep +++ b/src/templates/roles.bicep @@ -8,10 +8,12 @@ var loadRoleDefinitions = { All: [ loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Application-Owners.json') loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Network-Management.json') - loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Security-Operations.json') loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Subscription-Owner.json') ] - AzureCloud: [] + AzureCloud: [ + loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Security-Operations.json') // Not working in AzureChinaCloud, needs validating on AzureUSGovernment + loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Network-Management.json') // Not working in AzureChinaCloud, needs validating on AzureUSGovernment + ] AzureChinaCloud: [] AzureUSGovernment: [] } From c177bd907107817eff2e78b2d50409c14c6ad5ff Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Thu, 25 Jul 2024 14:18:09 +0800 Subject: [PATCH 06/35] Update for Decom Policy Set --- .../policySetDefinitions/Enforce-ALZ-Decomm.json | 4 +--- src/templates/initiatives.bicep | 3 ++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index a2eaa786d5..da13144022 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -12,9 +12,7 @@ "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ - "AzureCloud", - "AzureChinaCloud", - "AzureUSGovernment" + "AzureCloud" ] }, "parameters": { diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index a1a7e7c233..0e48249b93 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -39,7 +39,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') @@ -80,6 +80,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment ] AzureChinaCloud: [ loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () From 1dcfe7a7e4afa49b377330badb07ce7c6717185a Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Thu, 25 Jul 2024 14:44:48 +0800 Subject: [PATCH 07/35] Update for role definition in mooncake --- src/templates/roles.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/src/templates/roles.bicep b/src/templates/roles.bicep index b5370ba7cb..a49f2d717e 100644 --- a/src/templates/roles.bicep +++ b/src/templates/roles.bicep @@ -7,7 +7,6 @@ var cloudEnv = environment().name var loadRoleDefinitions = { All: [ loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Application-Owners.json') - loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Network-Management.json') loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Subscription-Owner.json') ] AzureCloud: [ From 52519b539d4702c5f17746b021ee8cf41695a41c Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Thu, 25 Jul 2024 16:32:38 +0800 Subject: [PATCH 08/35] Update the policy, initiatives, roles generated via bicep --- .../policyDefinitions/initiatives.json | 88 +++++++------- .../policyDefinitions/policies.json | 114 +++++++++--------- .../customRoleDefinitions.json | 47 ++++---- 3 files changed, 125 insertions(+), 124 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 05720324ea..d8a9e1d2eb 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14881039068741859194" + "version": "0.22.6.54827", + "templateHash": "3427518993111177727" } }, "parameters": { @@ -78,48 +78,48 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#36": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#38": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#39": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#36": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#37": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#38": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#39": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#40": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#41": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#42": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#43": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#44": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#40": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#42": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#44": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#48": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#50": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", @@ -127,10 +127,10 @@ "$fxv#52": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#53": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#54": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -178,10 +178,10 @@ "[variables('$fxv#31')]", "[variables('$fxv#32')]", "[variables('$fxv#33')]", - "[variables('$fxv#34')]", - "[variables('$fxv#35')]" + "[variables('$fxv#34')]" ], "AzureCloud": [ + "[variables('$fxv#35')]", "[variables('$fxv#36')]", "[variables('$fxv#37')]", "[variables('$fxv#38')]", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 2edbae4ca7..7a59b8f429 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "1159734146410583397" + "version": "0.22.6.54827", + "templateHash": "502091197892104134" } }, "parameters": { @@ -84,64 +84,64 @@ "$fxv#102": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"evaluationDelay\": \"AfterProvisioningSuccess\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#103": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#104": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#105": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#106": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#107": "{\n \"name\": \"Deploy-Diagnostics-VWanS2SVPNGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/vpnGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/vpnGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#108": "{\n \"name\": \"Audit-PrivateLinkDnsZones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null, \n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Audit or Deny the creation of Private Link Private DNS Zones\",\n \"description\": \"This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.2\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"privateLinkDnsZones\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Private Link Private DNS Zones\",\n \"description\": \"An array of Private Link Private DNS Zones to check for the existence of in the assigned scope.\"\n },\n \"defaultValue\": [\n \"privatelink.adf.azure.com\",\n \"privatelink.afs.azure.net\",\n \"privatelink.agentsvc.azure-automation.net\",\n \"privatelink.analysis.windows.net\",\n \"privatelink.api.azureml.ms\",\n \"privatelink.azconfig.io\",\n \"privatelink.azure-api.net\",\n \"privatelink.azure-automation.net\",\n \"privatelink.azurecr.io\",\n \"privatelink.azure-devices.net\",\n \"privatelink.azure-devices-provisioning.net\",\n \"privatelink.azuredatabricks.net\",\n \"privatelink.azurehdinsight.net\",\n \"privatelink.azurehealthcareapis.com\",\n \"privatelink.azurestaticapps.net\",\n \"privatelink.azuresynapse.net\",\n \"privatelink.azurewebsites.net\",\n \"privatelink.batch.azure.com\",\n \"privatelink.blob.core.windows.net\",\n \"privatelink.cassandra.cosmos.azure.com\",\n \"privatelink.cognitiveservices.azure.com\",\n \"privatelink.database.windows.net\",\n \"privatelink.datafactory.azure.net\",\n \"privatelink.dev.azuresynapse.net\",\n \"privatelink.dfs.core.windows.net\",\n \"privatelink.dicom.azurehealthcareapis.com\",\n \"privatelink.digitaltwins.azure.net\",\n \"privatelink.directline.botframework.com\",\n \"privatelink.documents.azure.com\",\n \"privatelink.eventgrid.azure.net\",\n \"privatelink.file.core.windows.net\",\n \"privatelink.gremlin.cosmos.azure.com\",\n \"privatelink.guestconfiguration.azure.com\",\n \"privatelink.his.arc.azure.com\",\n \"privatelink.kubernetesconfiguration.azure.com\",\n \"privatelink.managedhsm.azure.net\",\n \"privatelink.mariadb.database.azure.com\",\n \"privatelink.media.azure.net\",\n \"privatelink.mongo.cosmos.azure.com\",\n \"privatelink.monitor.azure.com\",\n \"privatelink.mysql.database.azure.com\",\n \"privatelink.notebooks.azure.net\",\n \"privatelink.ods.opinsights.azure.com\",\n \"privatelink.oms.opinsights.azure.com\",\n \"privatelink.pbidedicated.windows.net\",\n \"privatelink.postgres.database.azure.com\",\n \"privatelink.prod.migration.windowsazure.com\",\n \"privatelink.purview.azure.com\",\n \"privatelink.purviewstudio.azure.com\",\n \"privatelink.queue.core.windows.net\",\n \"privatelink.redis.cache.windows.net\",\n \"privatelink.redisenterprise.cache.azure.net\",\n \"privatelink.search.windows.net\",\n \"privatelink.service.signalr.net\",\n \"privatelink.servicebus.windows.net\",\n \"privatelink.siterecovery.windowsazure.com\",\n \"privatelink.sql.azuresynapse.net\",\n \"privatelink.table.core.windows.net\",\n \"privatelink.table.cosmos.azure.com\",\n \"privatelink.tip1.powerquery.microsoft.com\",\n \"privatelink.token.botframework.com\",\n \"privatelink.vaultcore.azure.net\",\n \"privatelink.web.core.windows.net\",\n \"privatelink.webpubsub.azure.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n {\n \"field\": \"name\",\n \"in\": \"[[parameters('privateLinkDnsZones')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#109": "{\n \"name\": \"DenyAction-DiagnosticLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n \"metadata\": {\n \"deprecated\": false,\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#105": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#106": "{\n \"name\": \"Deploy-Diagnostics-VWanS2SVPNGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/vpnGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/vpnGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#107": "{\n \"name\": \"Audit-PrivateLinkDnsZones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null, \n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Audit or Deny the creation of Private Link Private DNS Zones\",\n \"description\": \"This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.2\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"privateLinkDnsZones\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Private Link Private DNS Zones\",\n \"description\": \"An array of Private Link Private DNS Zones to check for the existence of in the assigned scope.\"\n },\n \"defaultValue\": [\n \"privatelink.adf.azure.com\",\n \"privatelink.afs.azure.net\",\n \"privatelink.agentsvc.azure-automation.net\",\n \"privatelink.analysis.windows.net\",\n \"privatelink.api.azureml.ms\",\n \"privatelink.azconfig.io\",\n \"privatelink.azure-api.net\",\n \"privatelink.azure-automation.net\",\n \"privatelink.azurecr.io\",\n \"privatelink.azure-devices.net\",\n \"privatelink.azure-devices-provisioning.net\",\n \"privatelink.azuredatabricks.net\",\n \"privatelink.azurehdinsight.net\",\n \"privatelink.azurehealthcareapis.com\",\n \"privatelink.azurestaticapps.net\",\n \"privatelink.azuresynapse.net\",\n \"privatelink.azurewebsites.net\",\n \"privatelink.batch.azure.com\",\n \"privatelink.blob.core.windows.net\",\n \"privatelink.cassandra.cosmos.azure.com\",\n \"privatelink.cognitiveservices.azure.com\",\n \"privatelink.database.windows.net\",\n \"privatelink.datafactory.azure.net\",\n \"privatelink.dev.azuresynapse.net\",\n \"privatelink.dfs.core.windows.net\",\n \"privatelink.dicom.azurehealthcareapis.com\",\n \"privatelink.digitaltwins.azure.net\",\n \"privatelink.directline.botframework.com\",\n \"privatelink.documents.azure.com\",\n \"privatelink.eventgrid.azure.net\",\n \"privatelink.file.core.windows.net\",\n \"privatelink.gremlin.cosmos.azure.com\",\n \"privatelink.guestconfiguration.azure.com\",\n \"privatelink.his.arc.azure.com\",\n \"privatelink.kubernetesconfiguration.azure.com\",\n \"privatelink.managedhsm.azure.net\",\n \"privatelink.mariadb.database.azure.com\",\n \"privatelink.media.azure.net\",\n \"privatelink.mongo.cosmos.azure.com\",\n \"privatelink.monitor.azure.com\",\n \"privatelink.mysql.database.azure.com\",\n \"privatelink.notebooks.azure.net\",\n \"privatelink.ods.opinsights.azure.com\",\n \"privatelink.oms.opinsights.azure.com\",\n \"privatelink.pbidedicated.windows.net\",\n \"privatelink.postgres.database.azure.com\",\n \"privatelink.prod.migration.windowsazure.com\",\n \"privatelink.purview.azure.com\",\n \"privatelink.purviewstudio.azure.com\",\n \"privatelink.queue.core.windows.net\",\n \"privatelink.redis.cache.windows.net\",\n \"privatelink.redisenterprise.cache.azure.net\",\n \"privatelink.search.windows.net\",\n \"privatelink.service.signalr.net\",\n \"privatelink.servicebus.windows.net\",\n \"privatelink.siterecovery.windowsazure.com\",\n \"privatelink.sql.azuresynapse.net\",\n \"privatelink.table.core.windows.net\",\n \"privatelink.table.cosmos.azure.com\",\n \"privatelink.tip1.powerquery.microsoft.com\",\n \"privatelink.token.botframework.com\",\n \"privatelink.vaultcore.azure.net\",\n \"privatelink.web.core.windows.net\",\n \"privatelink.webpubsub.azure.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n {\n \"field\": \"name\",\n \"in\": \"[[parameters('privateLinkDnsZones')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#108": "{\n \"name\": \"DenyAction-DiagnosticLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n \"metadata\": {\n \"deprecated\": false,\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#109": "{\n \"name\": \"DenyAction-ActivityLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Activity Logs\",\n \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n \"metadata\": {\n \"deprecated\": false, \n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", "$fxv#11": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#110": "{\n \"name\": \"DenyAction-ActivityLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Activity Logs\",\n \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n \"metadata\": {\n \"deprecated\": false, \n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", - "$fxv#111": "{\n \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Deploy User Assigned Managed Identity for VM Insights\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Managed Identity\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Bring Your Own User-Assigned Identity\",\n \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n },\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Name\",\n \"description\": \"The name of the pre-created user-assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n },\n \"defaultValue\": \"\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Built-In-Identity-RG Location\",\n \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n },\n \"defaultValue\": \"eastus\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Policy Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"greaterOrEquals\": \"2018-10-01\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[field('name')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"contains\": \"UserAssigned\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"equals\": \"UserAssigned\"\n },\n {\n \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n \"equals\": \"1\"\n }\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"uaName\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vmResourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"resourceId\": {\n \"value\": \"[[field('id')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.1\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"bool\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"uaName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"vmResourceGroup\": {\n \"type\": \"string\"\n },\n \"resourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[parameters('identityResourceGroup')]\",\n \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n {\n \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUALockName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[parameters('uaName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUAName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[variables('uaNameWithLocation')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n },\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n \"apiVersion\": \"2016-09-01\",\n \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n \"dependsOn\": [\n \"[[parameters('uaName')]\"\n ],\n \"properties\": {\n \"level\": \"CanNotDelete\",\n \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployGetResourceProperties')]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [],\n \"outputs\": {\n \"resource\": {\n \"type\": \"object\",\n \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n }\n }\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\",\n \"[[variables('deployGetResourceProperties')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaId\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"identityType\": {\n \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n },\n \"userAssignedIdentities\": {\n \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaId\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"identityType\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentities\": {\n \"type\": \"object\"\n }\n },\n \"variables\": {\n \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n \"apiVersion\": \"2019-07-01\",\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[parameters('vmName')]\",\n \"location\": \"[[parameters('location')]\",\n \"identity\": {\n \"type\": \"[[variables('identityTypeValue')]\",\n \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n }\n }\n ]\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#112": "{\n \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"2227e1f1-23dd-4c3a-85a9-7024a401d8b2\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#113": "{\n \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"63d03cbd-47fd-4ee1-8a1c-9ddf07303de0\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#114": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"f91991d1-5383-4c95-8ee5-5ac423dd8bb1\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#115": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"04754ef9-9ae3-4477-bf17-86ef50026304\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#116": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#117": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#118": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#119": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#110": "{\n \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Deploy User Assigned Managed Identity for VM Insights\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Managed Identity\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Bring Your Own User-Assigned Identity\",\n \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n },\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Name\",\n \"description\": \"The name of the pre-created user-assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n },\n \"defaultValue\": \"\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Built-In-Identity-RG Location\",\n \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n },\n \"defaultValue\": \"eastus\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Policy Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"greaterOrEquals\": \"2018-10-01\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[field('name')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"contains\": \"UserAssigned\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"equals\": \"UserAssigned\"\n },\n {\n \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n \"equals\": \"1\"\n }\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"uaName\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vmResourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"resourceId\": {\n \"value\": \"[[field('id')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.1\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"bool\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"uaName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"vmResourceGroup\": {\n \"type\": \"string\"\n },\n \"resourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[parameters('identityResourceGroup')]\",\n \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n {\n \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUALockName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[parameters('uaName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUAName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[variables('uaNameWithLocation')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n },\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n \"apiVersion\": \"2016-09-01\",\n \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n \"dependsOn\": [\n \"[[parameters('uaName')]\"\n ],\n \"properties\": {\n \"level\": \"CanNotDelete\",\n \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployGetResourceProperties')]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [],\n \"outputs\": {\n \"resource\": {\n \"type\": \"object\",\n \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n }\n }\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\",\n \"[[variables('deployGetResourceProperties')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaId\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"identityType\": {\n \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n },\n \"userAssignedIdentities\": {\n \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaId\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"identityType\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentities\": {\n \"type\": \"object\"\n }\n },\n \"variables\": {\n \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n \"apiVersion\": \"2019-07-01\",\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[parameters('vmName')]\",\n \"location\": \"[[parameters('location')]\",\n \"identity\": {\n \"type\": \"[[variables('identityTypeValue')]\",\n \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n }\n }\n ]\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#111": "{\n \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"2227e1f1-23dd-4c3a-85a9-7024a401d8b2\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#112": "{\n \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"63d03cbd-47fd-4ee1-8a1c-9ddf07303de0\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#113": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"f91991d1-5383-4c95-8ee5-5ac423dd8bb1\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#114": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"04754ef9-9ae3-4477-bf17-86ef50026304\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#115": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#116": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#117": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#118": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#119": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#12": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#120": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#121": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#122": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#123": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#124": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#125": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#126": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#127": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#128": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#129": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#120": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#121": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#122": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#123": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#124": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#125": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#126": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#127": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#128": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#129": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#13": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#130": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#131": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#132": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#133": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#134": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#135": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#136": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#137": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#138": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#130": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#131": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#132": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#133": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#134": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#135": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#136": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#137": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#138": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#139": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#140": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#141": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#143": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#147": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#157": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", @@ -406,10 +406,10 @@ "[variables('$fxv#138')]", "[variables('$fxv#139')]", "[variables('$fxv#140')]", - "[variables('$fxv#141')]", - "[variables('$fxv#142')]" + "[variables('$fxv#141')]" ], "AzureCloud": [ + "[variables('$fxv#142')]", "[variables('$fxv#143')]", "[variables('$fxv#144')]", "[variables('$fxv#145')]", diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json index 385dcbebdf..87e9aa6628 100644 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "7289710698265093596" + "version": "0.22.6.54827", + "templateHash": "14490525755972949150" } }, "variables": { @@ -38,22 +38,25 @@ } }, "$fxv#1": { - "name": "dc726155-3983-5405-b446-9bb27b94e02c", + "name": "402344ce-48c4-5ac1-9320-16726050f964", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "properties": { - "roleName": "Network-Management", - "description": "Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others", + "roleName": "Subscription-Owner", + "description": "Delegated role for subscription owner generated from subscription Owner role", "type": "customRole", "permissions": [ { "actions": [ - "*/read", - "Microsoft.Network/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/write", + "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/expressRouteCircuits/*", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/vpnSites/*" ], - "notActions": [], "dataActions": [], "notDataActions": [] } @@ -98,25 +101,22 @@ } }, "$fxv#3": { - "name": "402344ce-48c4-5ac1-9320-16726050f964", + "name": "dc726155-3983-5405-b446-9bb27b94e02c", "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "properties": { - "roleName": "Subscription-Owner", - "description": "Delegated role for subscription owner generated from subscription Owner role", + "roleName": "Network-Management", + "description": "Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others", "type": "customRole", "permissions": [ { "actions": [ - "*" - ], - "notActions": [ - "Microsoft.Authorization/*/write", - "Microsoft.Network/vpnGateways/*", - "Microsoft.Network/expressRouteCircuits/*", - "Microsoft.Network/routeTables/write", - "Microsoft.Network/vpnSites/*" + "*/read", + "Microsoft.Network/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" ], + "notActions": [], "dataActions": [], "notDataActions": [] } @@ -130,11 +130,12 @@ "loadRoleDefinitions": { "All": [ "[variables('$fxv#0')]", - "[variables('$fxv#1')]", + "[variables('$fxv#1')]" + ], + "AzureCloud": [ "[variables('$fxv#2')]", "[variables('$fxv#3')]" ], - "AzureCloud": [], "AzureChinaCloud": [], "AzureUSGovernment": [] }, From 8f21e5f652a9f40595cb3e6903d753db3aea412d Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 2 Aug 2024 14:37:04 +0800 Subject: [PATCH 09/35] Update to adopt Mooncake --- eslzArm/eslzArm.json | 25 +- ...mcDENY-PublicEndpointPolicyAssignment.json | 60 ++ .../mcDINE-MDFCConfigPolicyAssignment.json | 2 +- ...cDINE-PrivateDNSZonesPolicyAssignment.json | 2 +- .../policyDefinitions/initiatives.json | 162 ++-- ...y-PublicPaaSEndpoints.AzureChinaCloud.json | 6 +- .../Deploy-MDFC-Config.AzureChinaCloud.json | 2 +- ...loy-Private-DNS-Zones.AzureChinaCloud.json | 24 +- ...cryptTransit_20240509.AzureChinaCloud.json | 912 ++++++++++++++++++ ...Guardrails-Automation.AzureChinaCloud.json | 116 +++ ...rdrails-ContainerApps.AzureChinaCloud.json | 43 + ...e-Guardrails-CosmosDb.AzureChinaCloud.json | 104 ++ ...ardrails-KeyVault-Sup.AzureChinaCloud.json | 42 + ...e-Guardrails-KeyVault.AzureChinaCloud.json | 759 +++++++++++++++ ...orce-Guardrails-MySQL.AzureChinaCloud.json | 42 + ...ce-Guardrails-Network.AzureChinaCloud.json | 504 ++++++++++ ...ce-Guardrails-Storage.AzureChinaCloud.json | 443 +++++++++ src/templates/initiatives.bicep | 49 +- 18 files changed, 3188 insertions(+), 109 deletions(-) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-PublicEndpointPolicyAssignment.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 6954c148e0..5004523a43 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1575,6 +1575,7 @@ "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2023-11-14/" }, // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ + // Referring to different Policy Set definition for different cloud enviornment "azPrivateDnsPolicyAssignmentMapping": { "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json", "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/gov/fairfaxDINE-PrivateDNSZonesPolicyAssignment.json", @@ -1582,13 +1583,31 @@ }, "azPrivateDnsPolicyAssignment": "[variables('azPrivateDnsPolicyAssignmentMapping')[environment().resourceManager]]", - // Referring to different Policy Set definition for different cloud enviornment + + "PublicEndpointPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDINE-PublicEndpointPolicyAssignment.json" + + }, + "PublicEndpointPolicyAssignment": "[variables('PublicEndpointPolicyAssignmentMapping')[environment().resourceManager]]", + "regulatoryCompliancePolicyAssignmentMapping": { "https://management.azure.com/": "managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json", // This needs to be updated for USGovernmentCloud "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-RegulatoryCompliancePolicyAssignment.json" }, "regulatoryCompliancePolicy": "[variables('regulatoryCompliancePolicyAssignmentMapping')[environment().resourceManager]]", + + "mdfcConfigPolicyInitiativeMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json" + + }, + "mdfcConfigPolicyInitiative": "[variables('mdfcConfigPolicyInitiativeMapping')[environment().resourceManager]]", + "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", @@ -1610,7 +1629,7 @@ "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, variables('regulatoryCompliancePolicy'))]", "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", - "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]", + "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, variables('mdfcConfigPolicyInitiative'))]", "mdEnpointsPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json')]", "mdEnpointsAMAPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json')]", "atpOssDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json')]", @@ -1625,7 +1644,7 @@ "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", - "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", + "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('PublicEndpointPolicyAssignment'))]", "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsPolicyAssignment'))]", "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", "pipOnNicPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json')]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-PublicEndpointPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-PublicEndpointPolicyAssignment.json new file mode 100644 index 0000000000..bd5516c435 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-PublicEndpointPolicyAssignment.json @@ -0,0 +1,60 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyPublicEndpoint": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints-AzureChinaCloud')]" + }, + "policyAssignmentNames": { + "denyPublicEndpoint": "Deny-Public-Endpoints", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints" + }, + "nonComplianceMessage": { + "message": "Public network access {enforcementMode} be disabled for PaaS services.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyPublicEndpoint]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyPublicEndpoint]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": {} + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json index 7e35d539fd..1acc9d549a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-MDFCConfigPolicyAssignment.json @@ -55,7 +55,7 @@ }, "variables": { "policyDefinitions": { - "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config')]" + "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config-AzureChinaCloud')]" }, "policyAssignmentNames": { "azureSecurity": "Deploy-MDFC-Config", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json index ddd80950ce..8c1af5096d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -179,7 +179,7 @@ "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.chinacloudapi.cn')]" }, "policyDefinitions": { - "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json')]" + "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones-AzureChinaCloud')]" }, "policyAssignmentNames": { "deployPrivateDnsZones": "Deploy-Private-DNS-Zones", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index d8a9e1d2eb..40c274a247 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3427518993111177727" + "templateHash": "5556617491904947398" } }, "parameters": { @@ -78,63 +78,82 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#35": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#36": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#37": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#38": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#39": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#40": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#42": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#44": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#48": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#33": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#35": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#37": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#39": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#4": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#46": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#50": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#52": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#53": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#54": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#7": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#50": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#51": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#58": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#59": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#61": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#62": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#63": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#65": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#67": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#73": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", - "AzureChinaCloud": "chinaeast2", + "AzureChinaCloud": "chinanorth3", "AzureUSGovernment": "usgovvirginia" }, "templateVars": { @@ -169,7 +188,9 @@ "[variables('$fxv#22')]", "[variables('$fxv#23')]", "[variables('$fxv#24')]", - "[variables('$fxv#25')]", + "[variables('$fxv#25')]" + ], + "AzureCloud": [ "[variables('$fxv#26')]", "[variables('$fxv#27')]", "[variables('$fxv#28')]", @@ -178,9 +199,7 @@ "[variables('$fxv#31')]", "[variables('$fxv#32')]", "[variables('$fxv#33')]", - "[variables('$fxv#34')]" - ], - "AzureCloud": [ + "[variables('$fxv#34')]", "[variables('$fxv#35')]", "[variables('$fxv#36')]", "[variables('$fxv#37')]", @@ -190,21 +209,40 @@ "[variables('$fxv#41')]", "[variables('$fxv#42')]", "[variables('$fxv#43')]", - "[variables('$fxv#44')]" + "[variables('$fxv#44')]", + "[variables('$fxv#45')]" ], "AzureChinaCloud": [ - "[variables('$fxv#45')]", "[variables('$fxv#46')]", "[variables('$fxv#47')]", "[variables('$fxv#48')]", - "[variables('$fxv#49')]" - ], - "AzureUSGovernment": [ + "[variables('$fxv#49')]", "[variables('$fxv#50')]", "[variables('$fxv#51')]", "[variables('$fxv#52')]", "[variables('$fxv#53')]", - "[variables('$fxv#54')]" + "[variables('$fxv#54')]", + "[variables('$fxv#55')]", + "[variables('$fxv#56')]", + "[variables('$fxv#57')]", + "[variables('$fxv#58')]" + ], + "AzureUSGovernment": [ + "[variables('$fxv#59')]", + "[variables('$fxv#60')]", + "[variables('$fxv#61')]", + "[variables('$fxv#62')]", + "[variables('$fxv#63')]", + "[variables('$fxv#64')]", + "[variables('$fxv#65')]", + "[variables('$fxv#66')]", + "[variables('$fxv#67')]", + "[variables('$fxv#68')]", + "[variables('$fxv#69')]", + "[variables('$fxv#70')]", + "[variables('$fxv#71')]", + "[variables('$fxv#72')]", + "[variables('$fxv#73')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json index 5cb86665e4..8b402911cb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Deny-PublicPaaSEndpoints", + "name": "Deny-PublicPaaSEndpoints-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, @@ -20,7 +20,7 @@ "type": "String", "metadata": { "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." }, "allowedValues": [ "Audit", @@ -85,7 +85,7 @@ "type": "String", "metadata": { "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + "description": "This policy denies the creation of Azure Container Registries with exposed public endpoints " }, "allowedValues": [ "Audit", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json index 130a3b563d..f14b18081c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Deploy-MDFC-Config", + "name": "Deploy-MDFC-Config-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 11df0daf3f..fb1dbfce87 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Deploy-Private-DNS-Zones", + "name": "Deploy-Private-DNS-Zones-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, @@ -178,15 +178,6 @@ "description": "Private DNS Zone Identifier" } }, - "azureWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "", - "metadata": { - "displayName": "azureWebPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, "azureBatchPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -823,19 +814,6 @@ }, "groupNames": [] }, - { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureWebPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - }, - "groupNames": [] - }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json new file mode 100644 index 0000000000..4721094533 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json @@ -0,0 +1,912 @@ +{ + "name": "Enforce-EncryptTransit_20240509", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json new file mode 100644 index 0000000000..64f2ef98e7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json @@ -0,0 +1,116 @@ +{ + "name": "Enforce-Guardrails-Automation", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Automation Account", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json new file mode 100644 index 0000000000..20a559d4a5 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json @@ -0,0 +1,43 @@ +{ + "name": "Enforce-Guardrails-ContainerApps", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Apps", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json new file mode 100644 index 0000000000..75d1d67960 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json @@ -0,0 +1,104 @@ +{ + "name": "Enforce-Guardrails-CosmosDb", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cosmos DB", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json new file mode 100644 index 0000000000..7fad9290da --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json @@ -0,0 +1,42 @@ +{ + "name": "Enforce-Guardrails-KeyVault-Sup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce additional recommended guardrails for Key Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "policyDefinitionReferenceId": "Modify-KV-Fw", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json new file mode 100644 index 0000000000..e4d94be21c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json @@ -0,0 +1,759 @@ +{ + "name": "Enforce-Guardrails-KeyVault", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "description": "Enforce recommended guardrails for Azure Key Vault.", + "metadata": { + "version": "2.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effectKvSoftDelete": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvPurgeProtection": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvSecretsExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvKeysExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvFirewallEnabled": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvCertLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Audit" + }, + "maximumCertLifePercentageLife": { + "type": "Integer", + "metadata": { + "displayName": "The maximum lifetime percentage", + "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'." + }, + "defaultValue": 80 + }, + "minimumCertLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvKeysLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumKeysLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvSecretsLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumSecretsLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "keyVaultCheckMinimumRSACertificateSize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultMinimumRSACertificateSizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultArmRbac": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsPurgeProtection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertificatesPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertValidPeriod": { + "type": "integer", + "defaultValue": 12 + }, + "keyVaultHmsKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsValidPeriod": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultSecretContentType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultNonIntegratedCa": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultNonIntegratedCaValue": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "The common name of the certificate authority", + "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso" + } + }, + "keyVaultIntegratedCa": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultIntegratedCaValue": { + "type": "array", + "defaultValue": [ + "DigiCert", + "GlobalSign" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpirationValue": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultHmsCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsCurveNamesValue": { + "type": "array", + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": { + "type": "integer", + "defaultValue": 90 + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "KvSoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvPurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvFirewallEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvCertLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417", + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultArmRbac')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsPurgeProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", + "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[[parameters('keyVaultCertValidPeriod')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", + "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", + "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", + "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", + "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultSecretContentType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", + "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[[parameters('keyVaultNonIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", + "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[[parameters('keyVaultIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[[parameters('keyVaultHmsCurveNamesValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", + "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json new file mode 100644 index 0000000000..056597a6e3 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json @@ -0,0 +1,42 @@ +{ + "name": "Enforce-Guardrails-MySQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for MySQL", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "MySQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json new file mode 100644 index 0000000000..a71ae0df23 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -0,0 +1,504 @@ +{ + "name": "Enforce-Guardrails-Network", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Network and Networking services", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "denyMgmtFromInternet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "denyMgmtFromInternetPorts": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyUdr": { + "type": "string", + "defaultValue": "Disabled" + }, + "modifyUdrNextHopIpAddress": { + "type": "string", + "defaultValue": "" + }, + "modifyUdrNextHopType": { + "type": "string", + "defaultValue": "None" + }, + "modifyUdrAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" + }, + "modifyNsg": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyNsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "modifyNsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "modifyNsgRuleDirection": { + "type": "string", + "defaultValue": "Outbound" + }, + "modifyNsgRuleAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyNsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "modifyNsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[[parameters('denyMgmtFromInternetPorts')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "policyDefinitionReferenceId": "Modify-Udr", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "policyDefinitionReferenceId": "Modify-Nsg", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json new file mode 100644 index 0000000000..e43decc9d1 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json @@ -0,0 +1,443 @@ +{ + "name": "Enforce-Guardrails-Storage", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Storage Account", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "storageKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountRestrictNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageClassicToArm": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountSharedKey": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCrossTenant": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCopyScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsAllowedCopyScope": { + "type": "string", + "defaultValue": "AAD" + }, + "storageServicesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageLocalUser": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageSftp": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsBypass": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAllowedNetworkAclsBypass": { + "type": "array", + "defaultValue": [ + "None" + ] + }, + "storageResourceAccessRulesTenantId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageResourceAccessRulesResourceId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsVirtualNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageContainerDeleteRetentionPolicy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageMinContainerDeleteRetentionInDays": { + "type": "Integer", + "defaultValue": 7 + }, + "storageCorsRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyStorageFileSyncPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyStorageAccountPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "storageAccountsModifyDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[[parameters('storageAccountsAllowedCopyScope')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageServicesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageLocalUser')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", + "policyDefinitionReferenceId": "Deny-Storage-SFTP", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageSftp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesTenantId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageCorsRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCrossTenant')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountSharedKey')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsInfraEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "policyDefinitionReferenceId": "Deny-Storage-Classic", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageClassicToArm')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountRestrictNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 0e48249b93..412f0e6a6b 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -17,7 +17,7 @@ var cloudEnv = environment().name // Default deployment locations used in templates var defaultDeploymentLocationByCloudType = { AzureCloud: 'northeurope' - AzureChinaCloud: 'chinaeast2' + AzureChinaCloud: 'chinanorth3' //change to chinanorth3 as it's the most frequent scenario AzureUSGovernment: 'usgovvirginia' } @@ -37,31 +37,21 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json') // FSI specific initiative @@ -81,13 +71,32 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + ] AzureChinaCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // *DONE*Due to missing built-in Policy Definitions (5e8168db-69e3-4beb-9822-57cb59202a9d, 955a914f-bf86-4f0e-acd5-e0766b0efcb6, etc) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') //*???It's deprecated and replaced by build-in*Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // *DONE*Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // *DONE* Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (361c2074-3595-4e5d-8cab-4f21dffc835c) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0e80e269-43a4-4ae9-b5bc-178126b8a5cb) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (8b346db6-85af-419b-8557-92cee2c0f9bb) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (86810a98-8e91-4a44-8386-ec66d0de5d57) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (6d02d2f7-e38b-4bdc-96f3-adc0a8726abc) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (3a58212a-c829-4f13-9872-6371df2fd0b4) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (055aa869-bc98-4af8-bafc-23f1ab6ffe2c) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (b5f04e03-92a3-4b09-9410-2cc5e5047656) ] AzureUSGovernment: [ loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) @@ -95,6 +104,16 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 1f725891-01c0-420a-9059-4fa46cb770b7) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (83cef61d-dbd1-4b20-a4fc-5fbc7da10833, 18adea5e-f416-4d0f-8aa8-d24321e3e274, 051cba44-2429-45b9-9649-46cec11c7119) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment ] } From 791f11ae53cff0542011865e95cef6bfc4aae146 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 13:33:30 +0800 Subject: [PATCH 10/35] Correction on policy assignment name --- eslzArm/eslzArm.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 5004523a43..65d17fd2a4 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1587,7 +1587,7 @@ "PublicEndpointPolicyAssignmentMapping": { "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json", "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json", // This needs to be updated for USGovernmentCloud - "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDINE-PublicEndpointPolicyAssignment.json" + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDENY-PublicEndpointPolicyAssignment.json" }, "PublicEndpointPolicyAssignment": "[variables('PublicEndpointPolicyAssignmentMapping')[environment().resourceManager]]", From fe9f166f8dbb8ae654adfcf89e21638dbc3fc357 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 17:05:34 +0800 Subject: [PATCH 11/35] Update on policyset definition name by adding "AzureChinaCloud" --- .../Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json | 2 +- .../Enforce-EncryptTransit_20240509.AzureChinaCloud.json | 2 +- .../Enforce-Encryption-CMK.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-Automation.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-ContainerApps.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-CosmosDb.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-KeyVault.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-MySQL.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-Network.AzureChinaCloud.json | 2 +- .../Enforce-Guardrails-Storage.AzureChinaCloud.json | 2 +- src/templates/initiatives.bicep | 8 ++++---- 12 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json index ee18af091c..880d6ef31a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Deploy-Diagnostics-LogAnalytics", + "name": "Deploy-Diagnostics-LogAnalytics-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json index 4721094533..955cbbe5f1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-EncryptTransit_20240509", + "name": "Enforce-EncryptTransit_20240509-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json index bd78dc311b..f21fb0f251 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Encryption-CMK", + "name": "Enforce-Encryption-CMK-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json index 64f2ef98e7..89d5a68003 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-Automation", + "name": "Enforce-Guardrails-Automation-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json index 20a559d4a5..ee4a15624f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-ContainerApps", + "name": "Enforce-Guardrails-ContainerApps-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json index 75d1d67960..129b6a19c7 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-CosmosDb", + "name": "Enforce-Guardrails-CosmosDb-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json index 7fad9290da..2105d926eb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-KeyVault-Sup", + "name": "Enforce-Guardrails-KeyVault-Sup-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json index e4d94be21c..1c75125218 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-KeyVault", + "name": "Enforce-Guardrails-KeyVault-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json index 056597a6e3..31b0554dad 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-MySQL", + "name": "Enforce-Guardrails-MySQL-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index a71ae0df23..ace7e005b2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-Network", + "name": "Enforce-Guardrails-Network-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json index e43decc9d1..7248cb847e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json @@ -1,5 +1,5 @@ { - "name": "Enforce-Guardrails-Storage", + "name": "Enforce-Guardrails-Storage-AzureChinaCloud", "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "scope": null, diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 412f0e6a6b..a471d99eda 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -84,11 +84,11 @@ var loadPolicySetDefinitions = { ] AzureChinaCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // *DONE*Due to missing built-in Policy Definitions (5e8168db-69e3-4beb-9822-57cb59202a9d, 955a914f-bf86-4f0e-acd5-e0766b0efcb6, etc) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') //*???It's deprecated and replaced by build-in*Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // *DONE*Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (5e8168db-69e3-4beb-9822-57cb59202a9d, 955a914f-bf86-4f0e-acd5-e0766b0efcb6, etc) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') //Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // *DONE* Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (361c2074-3595-4e5d-8cab-4f21dffc835c) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0e80e269-43a4-4ae9-b5bc-178126b8a5cb) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (8b346db6-85af-419b-8557-92cee2c0f9bb) From 819f220037706eb5ba719b48ce9d4515ac9297a5 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 17:32:46 +0800 Subject: [PATCH 12/35] Remove duplicated load for PolicySet Enforce-Storage --- .../policyDefinitions/initiatives.json | 118 +++++++++--------- src/templates/initiatives.bicep | 1 - 2 files changed, 58 insertions(+), 61 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 40c274a247..97a13b9c95 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5556617491904947398" + "templateHash": "11926918519774617838" } }, "parameters": { @@ -92,62 +92,61 @@ "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#27": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#31": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#33": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#35": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#37": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#39": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#32": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#34": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#4": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#45": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#46": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#50": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#51": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#58": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#59": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-ContainerApps-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#58": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#61": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#62": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#63": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#65": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#67": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#61": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#62": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#73": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", @@ -187,10 +186,10 @@ "[variables('$fxv#21')]", "[variables('$fxv#22')]", "[variables('$fxv#23')]", - "[variables('$fxv#24')]", - "[variables('$fxv#25')]" + "[variables('$fxv#24')]" ], "AzureCloud": [ + "[variables('$fxv#25')]", "[variables('$fxv#26')]", "[variables('$fxv#27')]", "[variables('$fxv#28')]", @@ -209,10 +208,10 @@ "[variables('$fxv#41')]", "[variables('$fxv#42')]", "[variables('$fxv#43')]", - "[variables('$fxv#44')]", - "[variables('$fxv#45')]" + "[variables('$fxv#44')]" ], "AzureChinaCloud": [ + "[variables('$fxv#45')]", "[variables('$fxv#46')]", "[variables('$fxv#47')]", "[variables('$fxv#48')]", @@ -224,10 +223,10 @@ "[variables('$fxv#54')]", "[variables('$fxv#55')]", "[variables('$fxv#56')]", - "[variables('$fxv#57')]", - "[variables('$fxv#58')]" + "[variables('$fxv#57')]" ], "AzureUSGovernment": [ + "[variables('$fxv#58')]", "[variables('$fxv#59')]", "[variables('$fxv#60')]", "[variables('$fxv#61')]", @@ -241,8 +240,7 @@ "[variables('$fxv#69')]", "[variables('$fxv#70')]", "[variables('$fxv#71')]", - "[variables('$fxv#72')]", - "[variables('$fxv#73')]" + "[variables('$fxv#72')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index a471d99eda..5a884771d5 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -56,7 +56,6 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json') // FSI specific initiative - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json') // FSI specific initiative loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json') // FSI specific initiative ] From 776be0ae5d259acdcaf959421638cb33173da163 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 18:36:25 +0800 Subject: [PATCH 13/35] Update policyset definition metadata --- .../policySetDefinitions/Enforce-EncryptTransit_20240509.json | 1 - .../policySetDefinitions/Enforce-Guardrails-Automation.json | 1 - .../policySetDefinitions/Enforce-Guardrails-ContainerApps.json | 1 - .../policySetDefinitions/Enforce-Guardrails-CosmosDb.json | 1 - .../policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json | 1 - .../policySetDefinitions/Enforce-Guardrails-KeyVault.json | 1 - .../policySetDefinitions/Enforce-Guardrails-MySQL.json | 1 - .../policySetDefinitions/Enforce-Guardrails-Network.json | 1 - .../policySetDefinitions/Enforce-Guardrails-Storage.json | 1 - 9 files changed, 9 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index 1d96c3c4ba..cc7214c6ed 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -14,7 +14,6 @@ "replacesPolicy": "Enforce-EncryptTransit", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json index 3bcb0f4344..2bfd86c6ad 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json index 55ab33e46a..e8b63fa8cd 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json index 78b5883aab..d51825513e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json index 3c68197a8e..67608838e1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json index 0ae85c071b..15f5759341 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json index ce2b30161f..ef5db71614 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index a90c9872ab..72999f5523 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json index c5abdeee28..340f120813 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -13,7 +13,6 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud", "AzureUSGovernment" ] }, From ac3f1051392b7e6bda71c81db99c6f3bed383144 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 21:55:31 +0800 Subject: [PATCH 14/35] Update to cope with missing build-in policy in policyset --- ...cDINE-PrivateDNSZonesPolicyAssignment.json | 7 +- .../policyDefinitions/initiatives.json | 72 +++-- ...loy-Private-DNS-Zones.AzureChinaCloud.json | 21 -- ...cryptTransit_20240509.AzureChinaCloud.json | 19 -- ...Guardrails-Automation.AzureChinaCloud.json | 19 -- ...e-Guardrails-KeyVault.AzureChinaCloud.json | 19 -- ...ce-Guardrails-Network.AzureChinaCloud.json | 19 -- src/templates/initiatives.bicep | 2 +- src/templates/initiatives.json | 281 ++++++++++++++++++ 9 files changed, 322 insertions(+), 137 deletions(-) create mode 100644 src/templates/initiatives.json diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json index 8c1af5096d..f547eefea4 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -165,7 +165,8 @@ //"azureManagedGrafanaWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.grafana.azure.com')]", "azureVirtualDesktopHostpoolPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.azure.cn')]", "azureVirtualDesktopWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink-global.wvd.azure.cn')]", - "azureIotDeviceupdatePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.cn')]", + // Remove "azureIotDeviceupdatePrivateDnsZoneId" due to missing built-in Policy Definitions(a222b93a-e6c2-4c01-817f-21e092455b2a) + //"azureIotDeviceupdatePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.cn')]", // Azure Arc is NOT supported in Mooncake yet //"azureArcGuestconfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.guestconfiguration.azure.com')]", //"azureArcHybridResourceProviderPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.his.arc.azure.com')]", @@ -366,10 +367,12 @@ "azureVirtualDesktopWorkspacePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureVirtualDesktopWorkspacePrivateDnsZoneId]" }, + /* + Remove "azureIotDeviceupdatePrivateDnsZoneId" due to missing built-in Policy Definitions(a222b93a-e6c2-4c01-817f-21e092455b2a) "azureIotDeviceupdatePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureIotDeviceupdatePrivateDnsZoneId]" }, - + */ "azureStorageTablePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureStorageTablePrivateDnsZoneId]" }, diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 97a13b9c95..fc0ac0f296 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "11926918519774617838" + "templateHash": "5367044722578931295" } }, "parameters": { @@ -105,48 +105,47 @@ "$fxv#32": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#33": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#34": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#37": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#39": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#4": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-ContainerApps-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#58": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#59": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#61": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#62": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#61": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#62": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#64": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#66": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", @@ -222,10 +221,10 @@ "[variables('$fxv#53')]", "[variables('$fxv#54')]", "[variables('$fxv#55')]", - "[variables('$fxv#56')]", - "[variables('$fxv#57')]" + "[variables('$fxv#56')]" ], "AzureUSGovernment": [ + "[variables('$fxv#57')]", "[variables('$fxv#58')]", "[variables('$fxv#59')]", "[variables('$fxv#60')]", @@ -239,8 +238,7 @@ "[variables('$fxv#68')]", "[variables('$fxv#69')]", "[variables('$fxv#70')]", - "[variables('$fxv#71')]", - "[variables('$fxv#72')]" + "[variables('$fxv#71')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index fb1dbfce87..2762a9cf37 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -367,15 +367,6 @@ "description": "Private DNS Zone Identifier" } }, - "azureIotDeviceupdatePrivateDnsZoneId": { - "type": "string", - "defaultValue": "", - "metadata": { - "displayName": "azureIotDeviceupdatePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, "azureStorageTablePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -1069,18 +1060,6 @@ } } }, - { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json index 955cbbe5f1..f4b27dca27 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json @@ -445,15 +445,6 @@ "Disabled" ] }, - "containerAppsHttps": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "eventHubMinTls": { "type": "string", "defaultValue": "Deny", @@ -846,16 +837,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", - "policyDefinitionReferenceId": "Deny-ContainerApps-Https", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('containerAppsHttps')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", "policyDefinitionReferenceId": "Deny-EH-minTLS", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json index 89d5a68003..7c11b24859 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json @@ -33,15 +33,6 @@ "Deny" ] }, - "aaLocalAuth": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, "aaManagedIdentity": { "type": "string", "defaultValue": "Audit", @@ -70,16 +61,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", - "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('aaLocalAuth')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json index 1c75125218..5f204c8d85 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json @@ -203,15 +203,6 @@ "Disabled" ] }, - "keyVaultHmsPurgeProtection": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "keyVaultCertificatesPeriod": { "type": "string", "defaultValue": "Disabled", @@ -553,16 +544,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", - "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultHmsPurgeProtection')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", "policyDefinitionReferenceId": "Deny-KV-Cert-Period", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index ace7e005b2..f3b139da66 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -151,15 +151,6 @@ "Disabled" ] }, - "afwEnableIDPS": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "vpnAzureAD": { "type": "string", "defaultValue": "Deny", @@ -265,16 +256,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", - "policyDefinitionReferenceId": "Deny-Waf-IDPS", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('afwEnableIDPS')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 5a884771d5..11db6a9345 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -90,7 +90,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (361c2074-3595-4e5d-8cab-4f21dffc835c) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0e80e269-43a4-4ae9-b5bc-178126b8a5cb) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (8b346db6-85af-419b-8557-92cee2c0f9bb) + //loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (8b346db6-85af-419b-8557-92cee2c0f9bb, b874ab2d-72dd-47f1-8cb5-4a306478a4e7) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (86810a98-8e91-4a44-8386-ec66d0de5d57) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (6d02d2f7-e38b-4bdc-96f3-adc0a8726abc) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (3a58212a-c829-4f13-9872-6371df2fd0b4) diff --git a/src/templates/initiatives.json b/src/templates/initiatives.json new file mode 100644 index 0000000000..fc0ac0f296 --- /dev/null +++ b/src/templates/initiatives.json @@ -0,0 +1,281 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "5367044722578931295" + } + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "alz", + "metadata": { + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" + }, + "maxLength": 10 + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = \"deployment().location\"" + } + }, + "scope": { + "type": "string", + "defaultValue": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('topLevelManagementGroupPrefix'))]", + "metadata": { + "description": "Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'. DEFAULT VALUE = '/providers/Microsoft.Management/managementGroups/${topLevelManagementGroupPrefix}'" + } + } + }, + "variables": { + "copy": [ + { + "name": "processPolicySetDefinitionsAll", + "count": "[length(variables('loadPolicySetDefinitions').All)]", + "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureChinaCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureUSGovernment", + "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "policySetDefinitionsAll", + "count": "[length(variables('processPolicySetDefinitionsAll'))]", + "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" + }, + { + "name": "policySetDefinitionsAzureCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" + }, + { + "name": "policySetDefinitionsAzureChinaCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" + }, + { + "name": "policySetDefinitionsAzureUSGovernment", + "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" + } + ], + "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#27": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#32": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#34": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#4": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#59": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#61": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#62": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#64": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#66": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "cloudEnv": "[environment().name]", + "defaultDeploymentLocationByCloudType": { + "AzureCloud": "northeurope", + "AzureChinaCloud": "chinanorth3", + "AzureUSGovernment": "usgovvirginia" + }, + "templateVars": { + "scope": "/providers/Microsoft.Management/managementGroups/contoso", + "defaultDeploymentLocation": "\"location\": \"northeurope\"", + "localizedDeploymentLocation": "[format('\"location\": \"{0}\"', variables('defaultDeploymentLocationByCloudType')[variables('cloudEnv')])]" + }, + "loadPolicySetDefinitions": { + "All": [ + "[variables('$fxv#0')]", + "[variables('$fxv#1')]", + "[variables('$fxv#2')]", + "[variables('$fxv#3')]", + "[variables('$fxv#4')]", + "[variables('$fxv#5')]", + "[variables('$fxv#6')]", + "[variables('$fxv#7')]", + "[variables('$fxv#8')]", + "[variables('$fxv#9')]", + "[variables('$fxv#10')]", + "[variables('$fxv#11')]", + "[variables('$fxv#12')]", + "[variables('$fxv#13')]", + "[variables('$fxv#14')]", + "[variables('$fxv#15')]", + "[variables('$fxv#16')]", + "[variables('$fxv#17')]", + "[variables('$fxv#18')]", + "[variables('$fxv#19')]", + "[variables('$fxv#20')]", + "[variables('$fxv#21')]", + "[variables('$fxv#22')]", + "[variables('$fxv#23')]", + "[variables('$fxv#24')]" + ], + "AzureCloud": [ + "[variables('$fxv#25')]", + "[variables('$fxv#26')]", + "[variables('$fxv#27')]", + "[variables('$fxv#28')]", + "[variables('$fxv#29')]", + "[variables('$fxv#30')]", + "[variables('$fxv#31')]", + "[variables('$fxv#32')]", + "[variables('$fxv#33')]", + "[variables('$fxv#34')]", + "[variables('$fxv#35')]", + "[variables('$fxv#36')]", + "[variables('$fxv#37')]", + "[variables('$fxv#38')]", + "[variables('$fxv#39')]", + "[variables('$fxv#40')]", + "[variables('$fxv#41')]", + "[variables('$fxv#42')]", + "[variables('$fxv#43')]", + "[variables('$fxv#44')]" + ], + "AzureChinaCloud": [ + "[variables('$fxv#45')]", + "[variables('$fxv#46')]", + "[variables('$fxv#47')]", + "[variables('$fxv#48')]", + "[variables('$fxv#49')]", + "[variables('$fxv#50')]", + "[variables('$fxv#51')]", + "[variables('$fxv#52')]", + "[variables('$fxv#53')]", + "[variables('$fxv#54')]", + "[variables('$fxv#55')]", + "[variables('$fxv#56')]" + ], + "AzureUSGovernment": [ + "[variables('$fxv#57')]", + "[variables('$fxv#58')]", + "[variables('$fxv#59')]", + "[variables('$fxv#60')]", + "[variables('$fxv#61')]", + "[variables('$fxv#62')]", + "[variables('$fxv#63')]", + "[variables('$fxv#64')]", + "[variables('$fxv#65')]", + "[variables('$fxv#66')]", + "[variables('$fxv#67')]", + "[variables('$fxv#68')]", + "[variables('$fxv#69')]", + "[variables('$fxv#70')]", + "[variables('$fxv#71')]" + ] + }, + "policySetDefinitionsByCloudType": { + "All": "[variables('policySetDefinitionsAll')]", + "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", + "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", + "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" + }, + "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" + }, + "resources": [ + { + "copy": { + "name": "PolicySetDefinitions", + "count": "[length(variables('policySetDefinitions'))]" + }, + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2020-09-01", + "name": "[variables('policySetDefinitions')[copyIndex()].name]", + "properties": { + "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", + "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", + "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", + "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", + "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", + "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", + "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" + } + } + ], + "outputs": { + "policySetDefinitionNames": { + "type": "array", + "copy": { + "count": "[length(variables('policySetDefinitions'))]", + "input": "[variables('policySetDefinitions')[copyIndex()].name]" + } + } + } +} \ No newline at end of file From 49ab8e7b479380f55a3418f6b2de17855841c428 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 5 Aug 2024 22:39:04 +0800 Subject: [PATCH 15/35] Update for missing buid-in policy --- ...loy-Private-DNS-Zones.AzureChinaCloud.json | 9 +++++++++ ...Guardrails-Automation.AzureChinaCloud.json | 18 ------------------ ...e-Guardrails-KeyVault.AzureChinaCloud.json | 19 ------------------- ...ce-Guardrails-Network.AzureChinaCloud.json | 19 ------------------- 4 files changed, 9 insertions(+), 56 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 2762a9cf37..2162328030 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -106,6 +106,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureHDInsightPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureHDInsightPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureSynapseSQLPrivateDnsZoneId": { "type": "string", "defaultValue": "", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json index 7c11b24859..1451a1d2c5 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json @@ -16,14 +16,6 @@ ] }, "parameters": { - "aaModifyLocalAuth": { - "type": "string", - "defaultValue": "Modify", - "allowedValues": [ - "Modify", - "Disabled" - ] - }, "aaVariablesEncryption": { "type": "string", "defaultValue": "Deny", @@ -71,16 +63,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", - "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('aaModifyLocalAUth')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json index 5f204c8d85..f667b8454e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json @@ -216,15 +216,6 @@ "type": "integer", "defaultValue": 12 }, - "keyVaultHmsKeysExpiration": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "keysValidPeriod": { "type": "string", "defaultValue": "Disabled", @@ -557,16 +548,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", - "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultHmsKeysExpiration')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index f3b139da66..463025afc9 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -142,15 +142,6 @@ "Disabled" ] }, - "afwEnableAllIDPSSignatureRules": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "vpnAzureAD": { "type": "string", "defaultValue": "Deny", @@ -256,16 +247,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", From 6686ae210e0537056b6d465fe1f808baf0fbb9bf Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Tue, 6 Aug 2024 10:14:34 +0800 Subject: [PATCH 16/35] Update for policyset definition due to missing build-in policy --- .../policyDefinitions/initiatives.json | 10 +- src/templates/initiatives.json | 281 ------------------ 2 files changed, 5 insertions(+), 286 deletions(-) delete mode 100644 src/templates/initiatives.json diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index fc0ac0f296..9f12d358ea 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "5367044722578931295" + "templateHash": "1676851149951734790" } }, "parameters": { @@ -120,14 +120,14 @@ "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", diff --git a/src/templates/initiatives.json b/src/templates/initiatives.json deleted file mode 100644 index fc0ac0f296..0000000000 --- a/src/templates/initiatives.json +++ /dev/null @@ -1,281 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5367044722578931295" - } - }, - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "defaultValue": "alz", - "metadata": { - "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" - }, - "maxLength": 10 - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = \"deployment().location\"" - } - }, - "scope": { - "type": "string", - "defaultValue": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('topLevelManagementGroupPrefix'))]", - "metadata": { - "description": "Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'. DEFAULT VALUE = '/providers/Microsoft.Management/managementGroups/${topLevelManagementGroupPrefix}'" - } - } - }, - "variables": { - "copy": [ - { - "name": "processPolicySetDefinitionsAll", - "count": "[length(variables('loadPolicySetDefinitions').All)]", - "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureChinaCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureUSGovernment", - "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "policySetDefinitionsAll", - "count": "[length(variables('processPolicySetDefinitionsAll'))]", - "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" - }, - { - "name": "policySetDefinitionsAzureCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" - }, - { - "name": "policySetDefinitionsAzureChinaCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" - }, - { - "name": "policySetDefinitionsAzureUSGovernment", - "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" - } - ], - "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#27": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#32": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#34": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#38": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#39": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#4": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#40": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#42": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#44": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#59": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#61": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#62": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#64": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#66": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "cloudEnv": "[environment().name]", - "defaultDeploymentLocationByCloudType": { - "AzureCloud": "northeurope", - "AzureChinaCloud": "chinanorth3", - "AzureUSGovernment": "usgovvirginia" - }, - "templateVars": { - "scope": "/providers/Microsoft.Management/managementGroups/contoso", - "defaultDeploymentLocation": "\"location\": \"northeurope\"", - "localizedDeploymentLocation": "[format('\"location\": \"{0}\"', variables('defaultDeploymentLocationByCloudType')[variables('cloudEnv')])]" - }, - "loadPolicySetDefinitions": { - "All": [ - "[variables('$fxv#0')]", - "[variables('$fxv#1')]", - "[variables('$fxv#2')]", - "[variables('$fxv#3')]", - "[variables('$fxv#4')]", - "[variables('$fxv#5')]", - "[variables('$fxv#6')]", - "[variables('$fxv#7')]", - "[variables('$fxv#8')]", - "[variables('$fxv#9')]", - "[variables('$fxv#10')]", - "[variables('$fxv#11')]", - "[variables('$fxv#12')]", - "[variables('$fxv#13')]", - "[variables('$fxv#14')]", - "[variables('$fxv#15')]", - "[variables('$fxv#16')]", - "[variables('$fxv#17')]", - "[variables('$fxv#18')]", - "[variables('$fxv#19')]", - "[variables('$fxv#20')]", - "[variables('$fxv#21')]", - "[variables('$fxv#22')]", - "[variables('$fxv#23')]", - "[variables('$fxv#24')]" - ], - "AzureCloud": [ - "[variables('$fxv#25')]", - "[variables('$fxv#26')]", - "[variables('$fxv#27')]", - "[variables('$fxv#28')]", - "[variables('$fxv#29')]", - "[variables('$fxv#30')]", - "[variables('$fxv#31')]", - "[variables('$fxv#32')]", - "[variables('$fxv#33')]", - "[variables('$fxv#34')]", - "[variables('$fxv#35')]", - "[variables('$fxv#36')]", - "[variables('$fxv#37')]", - "[variables('$fxv#38')]", - "[variables('$fxv#39')]", - "[variables('$fxv#40')]", - "[variables('$fxv#41')]", - "[variables('$fxv#42')]", - "[variables('$fxv#43')]", - "[variables('$fxv#44')]" - ], - "AzureChinaCloud": [ - "[variables('$fxv#45')]", - "[variables('$fxv#46')]", - "[variables('$fxv#47')]", - "[variables('$fxv#48')]", - "[variables('$fxv#49')]", - "[variables('$fxv#50')]", - "[variables('$fxv#51')]", - "[variables('$fxv#52')]", - "[variables('$fxv#53')]", - "[variables('$fxv#54')]", - "[variables('$fxv#55')]", - "[variables('$fxv#56')]" - ], - "AzureUSGovernment": [ - "[variables('$fxv#57')]", - "[variables('$fxv#58')]", - "[variables('$fxv#59')]", - "[variables('$fxv#60')]", - "[variables('$fxv#61')]", - "[variables('$fxv#62')]", - "[variables('$fxv#63')]", - "[variables('$fxv#64')]", - "[variables('$fxv#65')]", - "[variables('$fxv#66')]", - "[variables('$fxv#67')]", - "[variables('$fxv#68')]", - "[variables('$fxv#69')]", - "[variables('$fxv#70')]", - "[variables('$fxv#71')]" - ] - }, - "policySetDefinitionsByCloudType": { - "All": "[variables('policySetDefinitionsAll')]", - "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", - "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", - "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" - }, - "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" - }, - "resources": [ - { - "copy": { - "name": "PolicySetDefinitions", - "count": "[length(variables('policySetDefinitions'))]" - }, - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2020-09-01", - "name": "[variables('policySetDefinitions')[copyIndex()].name]", - "properties": { - "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", - "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", - "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", - "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", - "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", - "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", - "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" - } - } - ], - "outputs": { - "policySetDefinitionNames": { - "type": "array", - "copy": { - "count": "[length(variables('policySetDefinitions'))]", - "input": "[variables('policySetDefinitions')[copyIndex()].name]" - } - } - } -} \ No newline at end of file From 7686bea9d2e3729570610e5a0f5a3db0b97b8547 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Tue, 6 Aug 2024 15:44:01 +0800 Subject: [PATCH 17/35] Fix policyset definition for mooncake --- ...loy-Private-DNS-Zones.AzureChinaCloud.json | 107 +++++++++++++++++- ...e-Guardrails-KeyVault.AzureChinaCloud.json | 57 ---------- ...ce-Guardrails-Network.AzureChinaCloud.json | 19 ---- 3 files changed, 101 insertions(+), 82 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 2162328030..86a36231d3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -115,6 +115,87 @@ "description": "Private DNS Zone Identifier" } }, + "azureStorageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueuePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueueSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageFilePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureSynapseSQLPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -187,33 +268,34 @@ "description": "Private DNS Zone Identifier" } }, - "azureBatchPrivateDnsZoneId": { + "azureWebPrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureBatchPrivateDnsZoneId", + "displayName": "azureWebPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } }, - "azureAppPrivateDnsZoneId": { + "azureBatchPrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureAppPrivateDnsZoneId", + "displayName": "azureBatchPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } }, - "azureAsrPrivateDnsZoneId": { + "azureAppPrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureAsrPrivateDnsZoneId", + "displayName": "azureAppPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } }, + "azureIotPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -814,6 +896,19 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json index f667b8454e..ebf8a69514 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json @@ -358,37 +358,6 @@ "GlobalSign" ] }, - "keyVaultHsmMinimumDaysBeforeExpiration": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "keyVaultHsmMinimumDaysBeforeExpirationValue": { - "type": "integer", - "defaultValue": 90 - }, - "keyVaultHmsCurveNames": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "keyVaultHmsCurveNamesValue": { - "type": "array", - "defaultValue": [ - "P-256", - "P-256K", - "P-384", - "P-521" - ] - }, "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { "type": "string", "defaultValue": "Deny", @@ -676,32 +645,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", - "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" - }, - "minimumDaysBeforeExpiration": { - "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", - "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultHmsCurveNames')]" - }, - "allowedECNames": { - "value": "[[parameters('keyVaultHmsCurveNamesValue')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index 463025afc9..9914306a6d 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -133,15 +133,6 @@ "Disabled" ] }, - "afwEmptyIDPSBypassList": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "vpnAzureAD": { "type": "string", "defaultValue": "Deny", @@ -247,16 +238,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", - "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('afwEmptyIDPSBypassList')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", From d4266ccdc216294fade4b463819d1470af1625b3 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Tue, 6 Aug 2024 16:17:30 +0800 Subject: [PATCH 18/35] update bicep file --- .../policyDefinitions/initiatives.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 9f12d358ea..68a8866103 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "1676851149951734790" + "templateHash": "7463573795263158321" } }, "parameters": { @@ -120,14 +120,14 @@ "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", From 3c66029c2efd4e8315e97711bc72d7b3f6912d7f Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Tue, 6 Aug 2024 16:59:53 +0800 Subject: [PATCH 19/35] Correction on policyset definition and assignment --- ...cDINE-PrivateDNSZonesPolicyAssignment.json | 3 ++- .../policyDefinitions/initiatives.json | 6 ++--- ...loy-Private-DNS-Zones.AzureChinaCloud.json | 22 ------------------- ...ce-Guardrails-Network.AzureChinaCloud.json | 19 ---------------- 4 files changed, 5 insertions(+), 45 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json index f547eefea4..ea92ddb98e 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -138,7 +138,8 @@ "azureMonitorPrivateDnsZoneId3": "[concat(variables('baseId'), 'privatelink.ods.opinsights.azure.cn')]", "azureMonitorPrivateDnsZoneId4": "[concat(variables('baseId'), 'privatelink.agentsvc.azure-automation.net')]", // No change for Mooncake "azureMonitorPrivateDnsZoneId5": "[concat(variables('baseId'), 'privatelink.blob.core.chinacloudapi.cn')]", - "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.cn')]", + // Private DNS zone for Azure Web is supported in mooncake, but the build-in policy(0b026355-49cb-467b-8ac4-f777874e175a) is not available. + //"azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.cn')]", "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.batch.chinacloudapi.cn')]", "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.azure.cn')]", // Azure Site Recovery is NOT supported in Mooncake yet diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 68a8866103..1e4f783345 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "7463573795263158321" + "templateHash": "14488517361147590487" } }, "parameters": { @@ -120,14 +120,14 @@ "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 86a36231d3..5726895cad 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -268,15 +268,6 @@ "description": "Private DNS Zone Identifier" } }, - "azureWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "", - "metadata": { - "displayName": "azureWebPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, "azureBatchPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -896,19 +887,6 @@ }, "groupNames": [] }, - { - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureWebPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - }, - "groupNames": [] - }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index 9914306a6d..6c20d0fba0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -124,15 +124,6 @@ "Disabled" ] }, - "afwEnableTlsInspection": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "vpnAzureAD": { "type": "string", "defaultValue": "Deny", @@ -238,16 +229,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", - "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('afwEnableTlsInspection')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", From 83247d2e208174bd2c30eaed1ef91591a149498e Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Tue, 6 Aug 2024 17:27:33 +0800 Subject: [PATCH 20/35] Update policyset for mooncake due to missing build-in policy --- .../policyDefinitions/initiatives.json | 4 +- ...ce-Guardrails-Network.AzureChinaCloud.json | 64 ------------------- 2 files changed, 2 insertions(+), 66 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 1e4f783345..18edb3eb52 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "14488517361147590487" + "templateHash": "3829309302982984702" } }, "parameters": { @@ -127,7 +127,7 @@ "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json index 6c20d0fba0..6d2d86d4ca 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json @@ -60,28 +60,6 @@ "type": "string", "defaultValue": "" }, - "wafMode": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "wafModeRequirement": { - "type": "string", - "defaultValue": "Prevention" - }, - "wafFwRules": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "wafModeAppGw": { "type": "string", "defaultValue": "Deny", @@ -115,15 +93,6 @@ "3389" ] }, - "afwEnbaleTlsForAllAppRules": { - "type": "string", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, "vpnAzureAD": { "type": "string", "defaultValue": "Deny", @@ -229,16 +198,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", - "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", @@ -252,29 +211,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", - "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('wafFwRules')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", - "policyDefinitionReferenceId": "Deny-Waf-mode", - "groupNames": [], - "parameters": { - "effect": { - "value": "[[parameters('wafMode')]" - }, - "modeRequirement": { - "value": "[[parameters('wafModeRequirement')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", "policyDefinitionReferenceId": "Modify-vNet-DDoS", From c0718c8b98118818cc7e60663da257942df7513f Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 14:56:53 +0800 Subject: [PATCH 21/35] Update for Policy and Initiatives --- eslzArm/eslz-portal.json | 10 +- eslzArm/eslzArm.json | 30 ++++- ...-DINE-APPEND-TLS-SSL-PolicyAssignment.json | 80 ++++++++++++ .../mcENFORCE-BackupPolicyAssignment.json | 58 +++++++++ ...CE-GuardrailsKeyVaultPolicyAssignment.json | 53 ++++++++ .../policyDefinitions/initiatives.json | 114 +++++++++--------- .../Enforce-ALZ-Decomm.json | 3 +- .../Enforce-Backup.AzureChinaCloud.json | 75 ++++++++++++ src/templates/initiatives.bicep | 3 +- 9 files changed, 360 insertions(+), 66 deletions(-) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-BackupPolicyAssignment.json create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.AzureChinaCloud.json diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 0514fe77ec..ad5902ee48 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -504,7 +504,7 @@ } ] }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + "visible": "[and(equals(steps('management').enableLogAnalytics,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]" }, { "name": "enableUpdateMgmt", @@ -4324,7 +4324,7 @@ } ] }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + "visible": "[and(equals(steps('management').enableLogAnalytics,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]" }, { "name": "enableVmssMonitoring", @@ -4348,7 +4348,7 @@ } ] }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + "visible": "[and(equals(steps('management').enableLogAnalytics,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]" }, { "name": "enableVmHybridMonitoring", @@ -4372,7 +4372,7 @@ } ] }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + "visible": "[and(equals(steps('management').enableLogAnalytics,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]" }, { "name": "enableAksPolicy", @@ -4756,7 +4756,7 @@ } ] }, - "visible": true + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" } ], "visible": true diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 65d17fd2a4..e7c1e7c805 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1608,6 +1608,30 @@ }, "mdfcConfigPolicyInitiative": "[variables('mdfcConfigPolicyInitiativeMapping')[environment().resourceManager]]", + "tlsSslPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcDENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json" + + }, + "tlsSslPolicyAssignment": "[variables('tlsSslPolicyAssignmentMapping')[environment().resourceManager]]", + + "backupPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-BackupPolicyAssignment.json" + + }, + "backupPolicyAssignment": "[variables('backupPolicyAssignmentMapping')[environment().resourceManager]]", + + "kvGuardrailsPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json" + + }, + "kvGuardrailsPolicyAssignment": "[variables('kvGuardrailsPolicyAssignmentMapping')[environment().resourceManager]]", + "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", @@ -1641,7 +1665,7 @@ "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", - "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", + "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('tlsSslPolicyAssignment'))]", "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('PublicEndpointPolicyAssignment'))]", @@ -1650,8 +1674,8 @@ "pipOnNicPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json')]", "mgmtFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json')]", "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", - "kvGuardrailsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json')]", - "backupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json')]", + "kvGuardrailsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('kvGuardrailsPolicyAssignment'))]", + "backupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('backupPolicyAssignment'))]", "denyHybridNetworkingPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json')]", "auditPeDnsZonesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json')]", "auditAppGwWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json')]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json new file mode 100644 index 0000000000..21436d78ec --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509-AzureChinaCloud')]" + }, + "policyAssignmentNames": { + "deployEncryptionInTransit": "Enforce-TLS-SSL-H224", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" + }, + "nonComplianceMessage": { + "message": "TLS and SSL {enforcementMode} be enabled for on resources without encryption in transit.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployEncryptionInTransit": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').deployEncryptionInTransit))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').deployEncryptionInTransit]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployEncryptionInTransit]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployEncryptionInTransit]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').deployEncryptionInTransit)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployEncryptionInTransit), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-BackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-BackupPolicyAssignment.json new file mode 100644 index 0000000000..5e935590b2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-BackupPolicyAssignment.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup-AzureChinaCloud')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsBackup": "Enforce-ASR", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", + "displayName": "Enforce enhanced recovery and backup policies" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Azure Recovery Services (Backup and Site Recovery).", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsBackup]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsBackup]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json new file mode 100644 index 0000000000..aef6ea5d0a --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVaul-AzureChinaCloud')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsKeyVault": "Enforce-GR-KeyVault", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", + "displayName": "Enforce recommended guardrails for Azure Key Vault" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Azure Key Vault.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKeyVault]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKeyVault]", + "enforcementMode": "[parameters('enforcementMode')]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 18edb3eb52..0527f7d9ea 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "3829309302982984702" + "templateHash": "13806023795590053595" } }, "parameters": { @@ -78,33 +78,33 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#27": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#32": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#34": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#30": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#33": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#37": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", @@ -121,33 +121,34 @@ "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#5": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#57": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#59": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#61": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#62": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#64": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#66": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#52": "{\n \"name\": \"Enforce-Backup-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#53": "{\n \"name\": \"Enforce-Guardrails-KeyVault-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Guardrails-Automation-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#58": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#6": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#61": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#62": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -185,10 +186,10 @@ "[variables('$fxv#21')]", "[variables('$fxv#22')]", "[variables('$fxv#23')]", - "[variables('$fxv#24')]" + "[variables('$fxv#24')]", + "[variables('$fxv#25')]" ], "AzureCloud": [ - "[variables('$fxv#25')]", "[variables('$fxv#26')]", "[variables('$fxv#27')]", "[variables('$fxv#28')]", @@ -221,10 +222,10 @@ "[variables('$fxv#53')]", "[variables('$fxv#54')]", "[variables('$fxv#55')]", - "[variables('$fxv#56')]" + "[variables('$fxv#56')]", + "[variables('$fxv#57')]" ], "AzureUSGovernment": [ - "[variables('$fxv#57')]", "[variables('$fxv#58')]", "[variables('$fxv#59')]", "[variables('$fxv#60')]", @@ -238,7 +239,8 @@ "[variables('$fxv#68')]", "[variables('$fxv#69')]", "[variables('$fxv#70')]", - "[variables('$fxv#71')]" + "[variables('$fxv#71')]", + "[variables('$fxv#72')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index da13144022..fc9d50ca61 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -12,7 +12,8 @@ "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ - "AzureCloud" + "AzureCloud", + "AzureChinaCloud" ] }, "parameters": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.AzureChinaCloud.json new file mode 100644 index 0000000000..81a7305a7a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.AzureChinaCloud.json @@ -0,0 +1,75 @@ +{ + "name": "Enforce-Backup-AzureChinaCloud", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "Enforce enhanced recovery and backup policies on assigned scopes.", + "metadata": { + "version": "1.0.0", + "category": "Backup", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabilityOnly": { + "type": "Boolean", + "metadata": { + "displayName": "checkLockedImmutabilityOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "BackupBVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabiltyOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabilityOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 11db6a9345..2572f21794 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -38,6 +38,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json') // FSI specific initiative @@ -69,7 +70,6 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative. Not working in AzureChinaCloud, needs validating in AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment @@ -91,6 +91,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (361c2074-3595-4e5d-8cab-4f21dffc835c) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (0e80e269-43a4-4ae9-b5bc-178126b8a5cb) //loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (8b346db6-85af-419b-8557-92cee2c0f9bb, b874ab2d-72dd-47f1-8cb5-4a306478a4e7) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.AzureChinaCloud.json') // Unable to validate if all Azure Site Recovery features are working in other clouds loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (86810a98-8e91-4a44-8386-ec66d0de5d57) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (6d02d2f7-e38b-4bdc-96f3-adc0a8726abc) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (3a58212a-c829-4f13-9872-6371df2fd0b4) From d9af1bddc8583cbc1bf092131cb4952fe533ee5a Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 15:12:32 +0800 Subject: [PATCH 22/35] Fix policy for VM auto shutdown --- .../policyDefinitions/Deploy-Vm-autoShutdown.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json index bcb614327a..7cd48db4a6 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json @@ -13,7 +13,8 @@ "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ - "AzureCloud" + "AzureCloud", + "AzureChinaCloud" ] }, "parameters": { From 2a0645a91f0706dfa5ea8192489197bb498ab1af Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 15:30:40 +0800 Subject: [PATCH 23/35] Fix VM Auto shutdown policy for China --- .../policyDefinitions/policies.json | 38 +++++++++---------- src/templates/policies.bicep | 2 +- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 7a59b8f429..9eaafe1a97 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "502091197892104134" + "templateHash": "17371257750285966070" } }, "parameters": { @@ -125,23 +125,23 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#141": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#143": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#146": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#147": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#155": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#157": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", @@ -406,10 +406,10 @@ "[variables('$fxv#138')]", "[variables('$fxv#139')]", "[variables('$fxv#140')]", - "[variables('$fxv#141')]" + "[variables('$fxv#141')]", + "[variables('$fxv#142')]" ], "AzureCloud": [ - "[variables('$fxv#142')]", "[variables('$fxv#143')]", "[variables('$fxv#144')]", "[variables('$fxv#145')]", diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index 27d17e29a3..7ec548dfe8 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -183,6 +183,7 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json') // FSI specific policy loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') ] AzureCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment @@ -200,7 +201,6 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json') // Needs validating in AzureChinaCloud and AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Budget.json') // Needs validating in AzureChinaCloud (already used in AzureUSGovernment) loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json') // No obvious reason for exclusion from AzureChinaCloud and AzureUSGovernment, impacts "Deploy-Diagnostics-LogAnalytics" Policy Set Definition - loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment ] AzureChinaCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP.AzureChinaCloud.json') // Used by "Deny-PublicPaaSEndpoints" Policy Set Definition to replace missing built-in Policy Definition in AzureChinaCloud From f01dca52a1479a6752471d99d3944bbedf96b335 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 16:18:01 +0800 Subject: [PATCH 24/35] Fix initiative ALZ Decommission --- eslzArm/eslzArm.json | 10 +- ...CE-ALZ-DecommissionedPolicyAssignment.json | 96 +++++++++++++++++++ .../Deploy-Vm-autoShutdown.json | 4 +- .../Enforce-ALZ-Decomm.AzureChinaCloud.json | 44 +++++++++ src/templates/initiatives.bicep | 3 +- src/templates/policies.bicep | 2 +- 6 files changed, 153 insertions(+), 6 deletions(-) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.AzureChinaCloud.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index e7c1e7c805..d4582268b8 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1632,6 +1632,14 @@ }, "kvGuardrailsPolicyAssignment": "[variables('kvGuardrailsPolicyAssignmentMapping')[environment().resourceManager]]", + "decommissionPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json" + + }, + "decommissionPolicyAssignment": "[variables('decommissionPolicyAssignmentMapping')[environment().resourceManager]]", + "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", @@ -1684,7 +1692,7 @@ "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", "sqlThreatPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json')]", - "decommissionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json')]", + "decommissionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('decommissionPolicyAssignment'))]", "sandboxPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json')]", "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json new file mode 100644 index 0000000000..a957918d71 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "listOfResourceTypesAllowed": { + "type": "Array", + "defaultValue": [ + "microsoft.consumption/tags", + "microsoft.authorization/roleassignments", + "microsoft.authorization/roledefinitions", + "microsoft.authorization/policyassignments", + "microsoft.authorization/locks", + "microsoft.authorization/policydefinitions", + "microsoft.authorization/policysetdefinitions", + "microsoft.resources/tags", + "microsoft.authorization/roleeligibilityschedules", + "microsoft.authorization/roleeligibilityscheduleinstances", + "microsoft.authorization/roleassignmentschedules", + "microsoft.authorization/roleassignmentscheduleinstances" + ] + } + }, + "variables": { + "policyDefinitions": { + "enforceAlzDecommissioned": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm-AzureChinaCloud')]" + }, + "policyAssignmentNames": { + "alzDecommission": "Enforce-ALZ-Decomm", + "description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Decommissioned Guardrails" + }, + "nonComplianceMessage": { + "message": "ALZ Decommissioned Guardrails {enforcementMode} be enforced.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "roleAssignmentNames": { + "deployDecommRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').alzDecommission))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').alzDecommission]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceAlzDecommissioned]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[parameters('listOfResourceTypesAllowed')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployDecommRoles]", + "dependsOn": [ + "[variables('policyAssignmentNames').alzDecommission]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').alzDecommission), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json index 7cd48db4a6..7fef29646c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json @@ -13,9 +13,7 @@ "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ - "AzureCloud", - "AzureChinaCloud" - ] + "AzureCloud" ] }, "parameters": { "time": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.AzureChinaCloud.json new file mode 100644 index 0000000000..33878569b9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.AzureChinaCloud.json @@ -0,0 +1,44 @@ +{ + "name": "Enforce-ALZ-Decomm-AzureChinaCloud", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Decommissioned Landing Zone", + "description": "Enforce policies in the Decommissioned Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Decommissioned", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "listOfResourceTypesAllowed":{ + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed resource types in the Decommissioned landing zone", + "description": "Allowed resource types in the Decommissioned landing zone, default is none.", + "strongType": "resourceTypes" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DecomDenyResources", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } + } + \ No newline at end of file diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 2572f21794..6f42a55801 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -38,7 +38,6 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json') // FSI specific initiative @@ -61,6 +60,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json') // FSI specific initiative ] AzureCloud: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') // Not working in AzureChinaCloud, needs validating in AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning @@ -97,6 +97,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (3a58212a-c829-4f13-9872-6371df2fd0b4) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (055aa869-bc98-4af8-bafc-23f1ab6ffe2c) loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (b5f04e03-92a3-4b09-9410-2cc5e5047656) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.AzureChinaCloud.json') // Due to missing service DevTestLab which will be used by policy "Deploy-Vm-autoShutdown" ] AzureUSGovernment: [ loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index 7ec548dfe8..aae5465cf3 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -183,7 +183,6 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json') // FSI specific policy loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json') - loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') ] AzureCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment @@ -201,6 +200,7 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json') // Needs validating in AzureChinaCloud and AzureUSGovernment loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Budget.json') // Needs validating in AzureChinaCloud (already used in AzureUSGovernment) loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json') // No obvious reason for exclusion from AzureChinaCloud and AzureUSGovernment, impacts "Deploy-Diagnostics-LogAnalytics" Policy Set Definition + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') // Not working in AzureChinaCloud since servie DevTestLab doesn't exist in Mooncake, needs validating in AzureUSGovernment ] AzureChinaCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP.AzureChinaCloud.json') // Used by "Deny-PublicPaaSEndpoints" Policy Set Definition to replace missing built-in Policy Definition in AzureChinaCloud From b5c8e63b7e82339782c087232d66fdd5c69677be Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 16:19:43 +0800 Subject: [PATCH 25/35] update bicep and building json file --- .../policyDefinitions/initiatives.json | 86 ++++++++++--------- .../policyDefinitions/policies.json | 38 ++++---- 2 files changed, 63 insertions(+), 61 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 0527f7d9ea..a5c01dcfaa 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "13806023795590053595" + "templateHash": "12998982961439820352" } }, "parameters": { @@ -78,23 +78,23 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", "$fxv#26": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#27": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#28": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", @@ -121,7 +121,7 @@ "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Enforce-Encryption-CMK-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#5": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#50": "{\n \"name\": \"Enforce-Guardrails-Storage-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-EncryptTransit_20240509-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Enforce-Backup-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", @@ -130,25 +130,26 @@ "$fxv#55": "{\n \"name\": \"Enforce-Guardrails-MySQL-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#56": "{\n \"name\": \"Enforce-Guardrails-Network-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#57": "{\n \"name\": \"Enforce-Guardrails-CosmosDb-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#58": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#6": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#61": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#62": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#63": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#65": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#67": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#7": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#58": "{\n \"name\": \"Enforce-ALZ-Decomm-AzureChinaCloud\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#59": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#61": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#62": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#63": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#64": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#65": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#66": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#67": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#68": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#69": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#7": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#70": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#71": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#72": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#73": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -186,10 +187,10 @@ "[variables('$fxv#21')]", "[variables('$fxv#22')]", "[variables('$fxv#23')]", - "[variables('$fxv#24')]", - "[variables('$fxv#25')]" + "[variables('$fxv#24')]" ], "AzureCloud": [ + "[variables('$fxv#25')]", "[variables('$fxv#26')]", "[variables('$fxv#27')]", "[variables('$fxv#28')]", @@ -223,10 +224,10 @@ "[variables('$fxv#54')]", "[variables('$fxv#55')]", "[variables('$fxv#56')]", - "[variables('$fxv#57')]" + "[variables('$fxv#57')]", + "[variables('$fxv#58')]" ], "AzureUSGovernment": [ - "[variables('$fxv#58')]", "[variables('$fxv#59')]", "[variables('$fxv#60')]", "[variables('$fxv#61')]", @@ -240,7 +241,8 @@ "[variables('$fxv#69')]", "[variables('$fxv#70')]", "[variables('$fxv#71')]", - "[variables('$fxv#72')]" + "[variables('$fxv#72')]", + "[variables('$fxv#73')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 9eaafe1a97..5f6ce42667 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "17371257750285966070" + "templateHash": "4944830583225163484" } }, "parameters": { @@ -125,23 +125,23 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#141": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#143": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#147": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#157": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\" ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", @@ -406,10 +406,10 @@ "[variables('$fxv#138')]", "[variables('$fxv#139')]", "[variables('$fxv#140')]", - "[variables('$fxv#141')]", - "[variables('$fxv#142')]" + "[variables('$fxv#141')]" ], "AzureCloud": [ + "[variables('$fxv#142')]", "[variables('$fxv#143')]", "[variables('$fxv#144')]", "[variables('$fxv#145')]", From 56f8ce22963d7818b7fda2f4322c0ae2e6e0dbb8 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 19:02:58 +0800 Subject: [PATCH 26/35] Exclude mooncake for diag logs policy and MG --- eslzArm/eslzArm.json | 11 ++++++----- .../mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index d4582268b8..c08633b9ea 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2677,9 +2677,8 @@ }, { // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop - "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + // exclude Mooncake since Management Group Diagnostic Settings Rest API is NOT supported in Azure China. https://learn.microsoft.com/en-us/answers/questions/1640390/confirm-if-management-group-diagnostic-settings-re + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), not(equals(environment().resourceManager, 'https://management.chinacloudapi.cn')))]", "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]", "location": "[deployment().location]", @@ -4132,7 +4131,8 @@ }, { // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // exclude China since the build-in initiative(0884adba-2312-4468-abeb-5422caed1038) doesn't exist in China + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), not(equals(environment().resourceManager, 'https://management.chinacloudapi.cn')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", @@ -4162,7 +4162,8 @@ }, { // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + //exclude Mooncake since the build-in initiative(2465583e-4e78-4c15-b6be-a36cbc7c8b0f) doesn't exist in Mooncake + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), not(equals(environment().resourceManager, 'https://management.chinacloudapi.cn')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json index aef6ea5d0a..b64a1b9397 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcENFORCE-GuardrailsKeyVaultPolicyAssignment.json @@ -23,7 +23,7 @@ }, "variables": { "policyDefinitions": { - "enforceGuardrailsKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVaul-AzureChinaCloud')]" + "enforceGuardrailsKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-AzureChinaCloud')]" }, "policyAssignmentNames": { "enforceGuardrailsKeyVault": "Enforce-GR-KeyVault", From 798e3050ba2a71c9351961f904f7a42f13e9d8bc Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 19:30:04 +0800 Subject: [PATCH 27/35] Typo fixed by adding items --- eslzArm/eslzArm.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c08633b9ea..c52d30dd96 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2679,6 +2679,8 @@ // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop // exclude Mooncake since Management Group Diagnostic Settings Rest API is NOT supported in Azure China. https://learn.microsoft.com/en-us/answers/questions/1640390/confirm-if-management-group-diagnostic-settings-re "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), not(equals(environment().resourceManager, 'https://management.chinacloudapi.cn')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]", "location": "[deployment().location]", From f0e9a25bd5c7e4b20e6a885173f73a011f085fac Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 16 Aug 2024 23:53:01 +0800 Subject: [PATCH 28/35] Update private DNS zone policy assignment --- .../china/mcDINE-PrivateDNSZonesPolicyAssignment.json | 9 --------- 1 file changed, 9 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json index ea92ddb98e..4e8caae62f 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/china/mcDINE-PrivateDNSZonesPolicyAssignment.json @@ -303,9 +303,6 @@ "azureMonitorPrivateDnsZoneId5": { "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId5]" }, - "azureWebPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureWebPrivateDnsZoneId]" - }, "azureBatchPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureBatchPrivateDnsZoneId]" }, @@ -368,12 +365,6 @@ "azureVirtualDesktopWorkspacePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureVirtualDesktopWorkspacePrivateDnsZoneId]" }, - /* - Remove "azureIotDeviceupdatePrivateDnsZoneId" due to missing built-in Policy Definitions(a222b93a-e6c2-4c01-817f-21e092455b2a) - "azureIotDeviceupdatePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureIotDeviceupdatePrivateDnsZoneId]" - }, - */ "azureStorageTablePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureStorageTablePrivateDnsZoneId]" }, From f7fbfe540d22f72fcb9eb87d4723c3456ed1059f Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Sat, 17 Aug 2024 11:32:17 +0800 Subject: [PATCH 29/35] Update mdfc configuration with API version to 2023-01-01 as 2024-01-01 not supported in mooncake --- eslzArm/eslzArm.json | 13 +- .../mcmdfcConfiguration.json | 683 ++++++++++++++++++ 2 files changed, 694 insertions(+), 2 deletions(-) create mode 100644 eslzArm/subscriptionTemplates/mcmdfcConfiguration.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index c52d30dd96..104f7fdf5d 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1637,8 +1637,17 @@ "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json", // This needs to be updated for USGovernmentCloud "https://management.chinacloudapi.cn": "managementGroupTemplates/policyAssignments/china/mcENFORCE-ALZ-DecommissionedPolicyAssignment.json" - }, + }, "decommissionPolicyAssignment": "[variables('decommissionPolicyAssignmentMapping')[environment().resourceManager]]", + + "MDFCSubscriptionEnablementMapping": { + "https://management.azure.com/": "subscriptionTemplates/mdfcConfiguration.json", + "https://management.usgovcloudapi.net": "subscriptionTemplates/mdfcConfiguration.json", // This needs to be updated for USGovernmentCloud + "https://management.chinacloudapi.cn": "subscriptionTemplates/mcmdfcConfiguration.json" + + }, + "MDFCSubscriptionEnablement": "[variables('MDFCSubscriptionEnablementMapping')[environment().resourceManager]]", + "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", @@ -1718,7 +1727,7 @@ "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]", "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]", "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]", - "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]", + "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, variables('MDFCSubscriptionEnablement'))]", // Workload Specific Compliance Initiatives "wsCMKPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json')]", "wsAPIMPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json')]", diff --git a/eslzArm/subscriptionTemplates/mcmdfcConfiguration.json b/eslzArm/subscriptionTemplates/mcmdfcConfiguration.json new file mode 100644 index 0000000000..0811bbdaf3 --- /dev/null +++ b/eslzArm/subscriptionTemplates/mcmdfcConfiguration.json @@ -0,0 +1,683 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "resourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource group location", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.", + "strongType": "location" + } + }, + "resourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The name of the resource group hosting the Log Analytics workspace." + } + }, + "logAnalyticsResourceId": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "The Log Analytics workspace of where the data should be exported to.", + "strongType": "Microsoft.OperationalInsights/workspaces", + "assignPermissions": true + } + }, + "emailContactAsc": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "exportedDataTypes": { + "type": "Array", + "metadata": { + "displayName": "Exported data types", + "description": "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming." + }, + "allowedValues": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ], + "defaultValue": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ] + }, + "recommendationNames": { + "type": "Array", + "metadata": { + "displayName": "Recommendation IDs", + "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments." + }, + "defaultValue": [] + }, + "recommendationSeverities": { + "type": "Array", + "metadata": { + "displayName": "Recommendation severities", + "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "isSecurityFindingsEnabled": { + "type": "bool", + "metadata": { + "displayName": "Include security findings", + "description": "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "secureScoreControlsNames": { + "type": "Array", + "metadata": { + "displayName": "Secure Score Controls IDs", + "description": "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols." + }, + "defaultValue": [] + }, + "alertSeverities": { + "type": "Array", + "metadata": { + "displayName": "Alert severities", + "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "regulatoryComplianceStandardsNames": { + "type": "Array", + "metadata": { + "displayName": "Regulatory compliance standards names", + "description": "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards." + }, + "defaultValue": [] + }, + "guidValue": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "scopeDescription": "scope for subscription {0}", + "subAssessmentRuleExpectedValue": "/assessments/{0}/", + "recommendationNamesLength": "[length(parameters('recommendationNames'))]", + "secureScoreControlsNamesLength": "[length(parameters('secureScoreControlsNames'))]", + "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]", + "regulatoryComplianceStandardsNamesLength": "[length(parameters('regulatoryComplianceStandardsNames'))]", + "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]", + "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]", + "alertSeveritiesLength": "[length(parameters('alertSeverities'))]", + "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]", + "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]", + "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]", + "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]", + "totalRuleCombinationsForOneRecommendationSeverity": 1, + "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]", + "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]", + "dataTypeMap": { + "Security recommendations": "Assessments", + "Security alerts": "Alerts", + "Overall secure score": "SecureScores", + "Secure score controls": "SecureScoreControls", + "Regulatory compliance": "RegulatoryComplianceAssessment", + "Overall secure score - snapshot": "SecureScoresSnapshot", + "Secure score controls - snapshot": "SecureScoreControlsSnapshot", + "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot", + "Security recommendations - snapshot": "AssessmentsSnapshot", + "Security findings - snapshot": "SubAssessmentsSnapshot" + }, + "alertSeverityMap": { + "High": "high", + "Medium": "medium", + "Low": "low" + }, + "ruleSetsForAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForAssessmentsArr", + "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]", + "input": { + "rules": [ + { + "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]", + "operator": "Contains" + }, + { + "propertyJPath": "properties.metadata.severity", + "propertyType": "string", + "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSubAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForSubAssessmentsArr", + "count": "[variables('recommendationNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', parameters('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForAlertsObj": { + "copy": [ + { + "name": "ruleSetsForAlertsArr", + "count": "[variables('alertSeveritiesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "Severity", + "propertyType": "string", + "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSecureScoreControlsObj": { + "copy": [ + { + "name": "ruleSetsForSecureScoreControlsArr", + "count": "[variables('secureScoreControlsLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "name", + "propertyType": "string", + "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), parameters('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForRegulatoryComplianceObj": { + "copy": [ + { + "name": "ruleSetsForRegulatoryCompliancArr", + "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), parameters('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]", + "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]", + "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]", + "subAssessmentSource": [ + { + "eventSource": "SubAssessments", + "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]" + } + ], + "ruleSetsMap": { + "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]", + "Overall secure score": null, + "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Overall secure score - snapshot": null, + "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Security recommendations - snapshot": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security findings - snapshot": "[variables('ruleSetsForSubAssessmentsObj')]" + }, + "sourcesWithoutSubAssessments": { + "copy": [ + { + "name": "sources", + "count": "[variables('exportedDataTypesLengthIfEmpty')]", + "input": { + "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]", + "ruleSets": "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]" + } + } + ] + }, + "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]", + "sources": "[if(equals(parameters('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]" + }, + "resources": [ + { + "condition": "[equals(parameters('enableAscForStorage'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } + }, + { + "condition": "[equals(parameters('enableAscForServers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "VirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'StorageAccounts')]" + ], + "properties": { + "pricingTier": "Standard", + "subPlan": "P2", + "resourcesCoverageStatus": "FullyCovered" + } + }, + { + "condition": "[equals(parameters('enableAscForSql'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "SqlServers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'VirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForAppServices'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "AppServices", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "SqlServerVirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'AppServices')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForContainers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Containers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServerVirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForKeyVault'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "KeyVaults", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Containers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForArm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Arm", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'KeyVaults')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForOssDb'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "OpenSourceRelationalDatabases", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Arm')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCosmosDbs'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "CosmosDbs", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'OpenSourceRelationalDatabases')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCspm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "CloudPosture", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CosmosDbs')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForApis'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Api", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CloudPosture')]" + ], + "properties": { + "pricingTier": "Standard", + "subPlan": "P1" + } + }, + { + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "description": "Defender for Cloud security contacts", + "emails": "[parameters('emailContactAsc')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "Medium" + } + } + }, + { + "name": "[parameters('resourceGroupName')]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('resourceGroupLocation')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "tags": {}, + "apiVersion": "2019-01-01-preview", + "location": "[parameters('resourceGroupLocation')]", + "name": "ExportToWorkspace", + "type": "Microsoft.Security/automations", + "dependsOn": [], + "properties": { + "description": "Export Microsoft Defender for Cloud data to Log Analytics workspace via policy", + "isEnabled": true, + "scopes": [ + { + "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]", + "scopePath": "[subscription().id]" + } + ], + "sources": "[variables('sources')]", + "actions": [ + { + "actionType": "Workspace", + "workspaceResourceId": "[parameters('logAnalyticsResourceId')]" + } + ] + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 8b5146e623cf04af72698a7f93f19044121cfa00 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 30 Sep 2024 13:15:44 +0800 Subject: [PATCH 30/35] update based on Sacha'f review comments --- .../Deploy-Private-DNS-Zones.AzureChinaCloud.json | 2 +- .../policySetDefinitions/Enforce-ALZ-Decomm.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 5726895cad..d0b0bb9424 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.2.0", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index fc9d50ca61..aca3514063 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -13,7 +13,7 @@ "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", - "AzureChinaCloud" + "AzureUSGovernment" ] }, "parameters": { From 382f0b837fad5c18bfc9fe01d0e2e3fb47759a87 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 30 Sep 2024 15:29:52 +0800 Subject: [PATCH 31/35] Update to hide vWAN routing intent for mooncake --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ad5902ee48..44b9d879d7 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -2466,7 +2466,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable vWAN Routing Intent", "defaultValue": "No", - "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'))]", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", "constraints": { "allowedValues": [ From cf436773fbc06df2150aa6723938acb00f54d97c Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Mon, 30 Sep 2024 15:36:13 +0800 Subject: [PATCH 32/35] Update to hide vWAN routing intent for mooncake in Sencondary region --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 44b9d879d7..02aecd9d13 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -3581,7 +3581,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable vWAN Routing Intent in your second", "defaultValue": "No", - "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'))]", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", "constraints": { "allowedValues": [ From 9eef10773b1b4a9fd4fe2f7350de738bd24ea4a2 Mon Sep 17 00:00:00 2001 From: Yuan Zhang <114724932+yuanzhang9@users.noreply.github.com> Date: Fri, 18 Oct 2024 21:06:21 +0800 Subject: [PATCH 33/35] Delete eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json This needs to be excluded as auto generated file. --- .../customRoleDefinitions.json | 170 ------------------ 1 file changed, 170 deletions(-) delete mode 100644 eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json deleted file mode 100644 index 87e9aa6628..0000000000 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ /dev/null @@ -1,170 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14490525755972949150" - } - }, - "variables": { - "$fxv#0": { - "name": "c9a07a05-a1fc-53fe-a565-5eed25597c03", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "properties": { - "roleName": "Application-Owners", - "description": "Contributor role granted for application/operations team at resource group level", - "type": "customRole", - "permissions": [ - { - "actions": [ - "*" - ], - "notActions": [ - "Microsoft.Authorization/*/write", - "Microsoft.Network/publicIPAddresses/write", - "Microsoft.Network/virtualNetworks/write", - "Microsoft.KeyVault/locations/deletedVaults/purge/action" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "/providers/Microsoft.Management/managementGroups/contoso" - ] - } - }, - "$fxv#1": { - "name": "402344ce-48c4-5ac1-9320-16726050f964", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "properties": { - "roleName": "Subscription-Owner", - "description": "Delegated role for subscription owner generated from subscription Owner role", - "type": "customRole", - "permissions": [ - { - "actions": [ - "*" - ], - "notActions": [ - "Microsoft.Authorization/*/write", - "Microsoft.Network/vpnGateways/*", - "Microsoft.Network/expressRouteCircuits/*", - "Microsoft.Network/routeTables/write", - "Microsoft.Network/vpnSites/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "/providers/Microsoft.Management/managementGroups/contoso" - ] - } - }, - "$fxv#2": { - "name": "d3584a79-4f0d-5980-aa3c-7a76ba783b76", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "properties": { - "roleName": "Security-Operations", - "description": "Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.", - "type": "customRole", - "permissions": [ - { - "actions": [ - "*/read", - "*/register/action", - "Microsoft.KeyVault/locations/deletedVaults/purge/action", - "Microsoft.PolicyInsights/*", - "Microsoft.Authorization/policyAssignments/*", - "Microsoft.Authorization/policyDefinitions/*", - "Microsoft.Authorization/policyExemptions/*", - "Microsoft.Authorization/policySetDefinitions/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Security/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "/providers/Microsoft.Management/managementGroups/contoso" - ] - } - }, - "$fxv#3": { - "name": "dc726155-3983-5405-b446-9bb27b94e02c", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "properties": { - "roleName": "Network-Management", - "description": "Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others", - "type": "customRole", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Network/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "assignableScopes": [ - "/providers/Microsoft.Management/managementGroups/contoso" - ] - } - }, - "cloudEnv": "[environment().name]", - "loadRoleDefinitions": { - "All": [ - "[variables('$fxv#0')]", - "[variables('$fxv#1')]" - ], - "AzureCloud": [ - "[variables('$fxv#2')]", - "[variables('$fxv#3')]" - ], - "AzureChinaCloud": [], - "AzureUSGovernment": [] - }, - "roleDefinitionsByCloudType": { - "All": "[variables('loadRoleDefinitions').All]", - "AzureCloud": "[variables('loadRoleDefinitions').AzureCloud]", - "AzureChinaCloud": "[variables('loadRoleDefinitions').AzureChinaCloud]", - "AzureUSGovernment": "[variables('loadRoleDefinitions').AzureUSGovernment]" - }, - "roleDefinitions": "[concat(variables('roleDefinitionsByCloudType').All, variables('roleDefinitionsByCloudType')[variables('cloudEnv')])]" - }, - "resources": [ - { - "copy": { - "name": "RoleDefinitions", - "count": "[length(variables('roleDefinitions'))]" - }, - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2022-04-01", - "name": "[guid(variables('roleDefinitions')[copyIndex()].properties.roleName, managementGroup().name)]", - "properties": { - "roleName": "[format('[{0}] {1}', managementGroup().name, variables('roleDefinitions')[copyIndex()].properties.roleName)]", - "description": "[variables('roleDefinitions')[copyIndex()].properties.description]", - "type": "[variables('roleDefinitions')[copyIndex()].properties.type]", - "permissions": "[variables('roleDefinitions')[copyIndex()].properties.permissions]", - "assignableScopes": [ - "[managementGroup().id]" - ] - } - } - ] -} \ No newline at end of file From ec6177a40920ec05724efe278f7188f1d3e9d9c5 Mon Sep 17 00:00:00 2001 From: yuanzhang9 Date: Fri, 18 Oct 2024 21:08:49 +0800 Subject: [PATCH 34/35] Update to hide vWAN routing intent for mooncake in Sencondary region --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 44b9d879d7..02aecd9d13 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -3581,7 +3581,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable vWAN Routing Intent in your second", "defaultValue": "No", - "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'))]", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('basics').cloudEnvironment.selection, 'AzureChinaCloud')))]", "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", "constraints": { "allowedValues": [ From fbea8cc94a3000eed6ccb86b337e89f08de42f36 Mon Sep 17 00:00:00 2001 From: Yuan Zhang <114724932+yuanzhang9@users.noreply.github.com> Date: Fri, 18 Oct 2024 21:30:17 +0800 Subject: [PATCH 35/35] Add files via upload --- .../customRoleDefinitions.json | 170 ++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json new file mode 100644 index 0000000000..87e9aa6628 --- /dev/null +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -0,0 +1,170 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.22.6.54827", + "templateHash": "14490525755972949150" + } + }, + "variables": { + "$fxv#0": { + "name": "c9a07a05-a1fc-53fe-a565-5eed25597c03", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "properties": { + "roleName": "Application-Owners", + "description": "Contributor role granted for application/operations team at resource group level", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/write", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/virtualNetworks/write", + "Microsoft.KeyVault/locations/deletedVaults/purge/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/contoso" + ] + } + }, + "$fxv#1": { + "name": "402344ce-48c4-5ac1-9320-16726050f964", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "properties": { + "roleName": "Subscription-Owner", + "description": "Delegated role for subscription owner generated from subscription Owner role", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/write", + "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/expressRouteCircuits/*", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/vpnSites/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/contoso" + ] + } + }, + "$fxv#2": { + "name": "d3584a79-4f0d-5980-aa3c-7a76ba783b76", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "properties": { + "roleName": "Security-Operations", + "description": "Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*/read", + "*/register/action", + "Microsoft.KeyVault/locations/deletedVaults/purge/action", + "Microsoft.PolicyInsights/*", + "Microsoft.Authorization/policyAssignments/*", + "Microsoft.Authorization/policyDefinitions/*", + "Microsoft.Authorization/policyExemptions/*", + "Microsoft.Authorization/policySetDefinitions/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Security/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/contoso" + ] + } + }, + "$fxv#3": { + "name": "dc726155-3983-5405-b446-9bb27b94e02c", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "properties": { + "roleName": "Network-Management", + "description": "Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Network/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/contoso" + ] + } + }, + "cloudEnv": "[environment().name]", + "loadRoleDefinitions": { + "All": [ + "[variables('$fxv#0')]", + "[variables('$fxv#1')]" + ], + "AzureCloud": [ + "[variables('$fxv#2')]", + "[variables('$fxv#3')]" + ], + "AzureChinaCloud": [], + "AzureUSGovernment": [] + }, + "roleDefinitionsByCloudType": { + "All": "[variables('loadRoleDefinitions').All]", + "AzureCloud": "[variables('loadRoleDefinitions').AzureCloud]", + "AzureChinaCloud": "[variables('loadRoleDefinitions').AzureChinaCloud]", + "AzureUSGovernment": "[variables('loadRoleDefinitions').AzureUSGovernment]" + }, + "roleDefinitions": "[concat(variables('roleDefinitionsByCloudType').All, variables('roleDefinitionsByCloudType')[variables('cloudEnv')])]" + }, + "resources": [ + { + "copy": { + "name": "RoleDefinitions", + "count": "[length(variables('roleDefinitions'))]" + }, + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "name": "[guid(variables('roleDefinitions')[copyIndex()].properties.roleName, managementGroup().name)]", + "properties": { + "roleName": "[format('[{0}] {1}', managementGroup().name, variables('roleDefinitions')[copyIndex()].properties.roleName)]", + "description": "[variables('roleDefinitions')[copyIndex()].properties.description]", + "type": "[variables('roleDefinitions')[copyIndex()].properties.type]", + "permissions": "[variables('roleDefinitions')[copyIndex()].properties.permissions]", + "assignableScopes": [ + "[managementGroup().id]" + ] + } + } + ] +} \ No newline at end of file